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ROCK SOLID FREEBSD SUPPORT 


For Your Peace of Mind 


iXsystems is stepping up its game. In addition to our existing FreeBSD Hardware Support, we now offer 
Professional Enterprise Grade FreeBSD and PC-BSD Support as well. This means guaranteed response time 
support with customized service plans for any OS-related problem. And all from iXsystems, the all-around FreeBSD 
company that builds FreeBSD-certified servers and storage solutions, runs the FreeBSD Mall, and is the corporate 


sponsor of the PC-BSD Project. 


Here are just a few of the many reasons to purchase professional FreeBSD or PC-BSD Support from iXsystems: 


Increased Productivity 

Our team can provide you with a wide array of services to maximize your systems’ performance. From basic 
support to complex solutions, the experts on the iXsystems Service Support Team can do it all. This leaves your 
system administrators free to work on other tasks while iX handles all the heavy-duty lifting, resulting in greater 


productivity, higher availability, and increased stability. 


Improved Security 

Your company’s information is an invaluable resource. Ensuring the ongoing security of corporate assets is essential 
to daily operations and maintaining competitive advantage. The iXsystems Service Support Team will use our 
extensive experience to maximize the security of your valuable data and operations. Your company will be notified 


of all the latest security updates so that you can keep your resources safe from harm. 


Custom Development and Consulting 

iXsystems partners with some of the most brilliant minds in the FreeBSD Community to offer custom development 
and advanced level FreeBSD consulting solutions. Our Account Management Service Professionals will work with 
you to develop software solutions specific to your business operations. iXsystems offers kernel tuning and system 
optimization, device driver creation, kernel, userland, and embedded systems development, and a host of other 


services that allow your company to fully utilize the FreeBSD and PC-BSD platforms. 


Engineering Escalation 
When the iXsystems Service Support Team encounters a confirmed bug, we can escalate the bug to the FreeBSD 
engineering team. We can also work with The FreeBSD Project to create and submit patches to the FreeBSD 


community for possible inclusion in the latest release. 


For more information contact iXsystems at (408) 943-4100 or visit our website at Vl [://www.ixsystems.com/rocxsollc 
and fill out the Inquiry form. We will pair you up with an Account Management Service Professional that can assess your needs 
and create a custom FreeBSD support plan for your organization! 
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This is the second time we meet. | hope you enjoyed the first 
issue of our brand new mag and that you have been looking 
forward to this issue. As always, you’re more than welcome to 
send in your comments, replies, ideas and suggestions. If you’d 
like to become a BSD author or betatester, don't hesitate - just 
sign in. 

This time my thanks go to Matt Olander and Jim Brown 
for their great help in improving the quality of the magazine. In 
addition, I'd like to thank all of you who got involved with this 
project and devoted your free time to help and respond to all 
“emergencies”, even in the middle of the night. Thank you! 

This issue is devoted to OpenBSD. As usual, we tried to 
cover the most interesting and useful topics as well as providing 
how-to's that will helo you improve your skills. Gilles Chehade 
guides you through the process of installation and configuration 
of OpenBSD 4.3 and Peter N.M.Hansteen gives you a kick-start 
on using packages. Gilles also teaches you how to provide the 
best develooment platform on OpenBSD. 

Machtelt Garrels discusses the certification that is being 
developed by the BSD Certification Group Advisory Board. Rob 
Somerville demonstrates how to build an OpenBSD server 
from scratch, Petr Topiarz, from the Czech OpeBSD community, 
provides a guide for people who use Linux or FreeBSD and 
would like to give OpenBSD a try on the desktop and Svetoslav 
P Chukov presents PBI - PC BSD installer 

In the administration section, Eric Schnoebelen and Michele 
Cranmer explain how to create a gateway between the Jabber 
network and closed networks and how to secure client-to-server 
and_ server-to-server communications using XMPP/Jabber 
features. Antti Kantee describes the kernel as a programming 
and testing environment. 

We also decided to cover BSD in context of its use in 
business and education: Girish Venkatachalam explains how to 
use OpenBSD to make money and iXsystems presents the use 
of PC BSD in schools. 

For those who dont really feel like getting into more technical 
details, Federico Biancuzzi interviews OpenBSD developer 
Damien Bergamini, Michel King introduces Mac OS X as the 
yother’ BSD and Xavier Brinon reviews Absolute FreeBSD (2nd 
Edition) by Michael W. Lucas. 

Enjoy! 
all the best 


Og 


Karolina LesiNska 
Executive Editor 


BSD 2/2008 


what’s new 
O6 BSD news 


Karolina Lesinska 
Here you will find the future projects from BSD world, new 
releases and solutions, and much more- directly from people 
involved most in BSD community. 


dvd contents 
O8 DVD contents description 


Karolina Lesinska 
If you are curious what is covermounted this time in our 
magazine you can find everything here 


get started 


10 OpenBSD 4.3 Installation&Configuration 
Gilles Chehade 

If you are new to OpenBSD distribution, Gilles guides you 

through the process of installing and configuring. 


18 You have installed it? Now what? Packages! 
Peter N.M. Hansteen 

Peter give you the kick-start on packages, shows how to use 

them effectively and without much effort. 


2-2 OpenBSD 

Gilles Chehade 
Gilles teaches how to provide the best development platform 
in form of a step-by-step tutorial for development station, server 
development, setting up the accounts and mail notification. 


26 BSD Certification by 

BSD Certification Group 

Machtelt Garells 
Machtelt discusses the certification that is being developed by 
the BSD Certification Group Advisory Board- people who are 
actively involved in different BSD projects, key figures in their 
communities. 


how-to’s 


30 Building an OpenBSD SAMP Server 

with Content Filtering Proxy 

Rob Somerville 
In this article Rob demonstrates how to build an OpenBSD server 
from scratch with Squid, Apache, MySOL, PHP and Webadmin. 


38 OpenBSD as a Desktop 

Petr Topiarz 
Petr provides you with a guide for people who use Linux or 
FreeBSD and would like to give OpenBSD a try on the desktop 
and explains some general Unix routines. 


40 Inside the PBI System... 

Svetoslav P. Chukov 
The author presents PBI - PC BSD installer with its unique and 
very useful package management system. 


Contents 


admin 
44 Connecting to Other IM Networks 


Eric Schnoebelen, Michele Cranmer 
Eric and Michele follow up the article from the first issue. This 
time, they explain the mechanism to allow the creation of a 
gateway between the jabber network and closed networks- 
AOL Instant Messenger, Yahoo!, ICO and others. 


90 Kernel File System 

Development in Userspace 

Antti Kantee 
In this article Antti describes the kernel as a programming and 
testing environment. He also describes the kernel code way of 
testing and developing — all that to make it more comfortable 
for the user. 


04 Securing IM Using Jabber/XMPP and TLS 
Eric Schnoebelen, Michele Cranmer 

This time, the authors will discuss how to secure client to 

server and server to server communications using XMPP/ 

Jabber features. 


in business 
98 OpenBSD and Making Money 


Girish Venkatachalam 
Even though corporations accuse Open Source for being 
unable to bring in the profits, in this article Girish shows that it 
is a serious bussiness that can make you rich. 


review 
61 Absolute FreeBSD 2nd Edition 


Xavier Brinon 
In this article Xavier analyses the Absolute FreeBSD 2nd 
edition — the Complete Guide to FreeBSD, a book written by 
Michael W. Lucas 


62 PC-BSD in Schools 

iXsystem 
iXsystem presents PC-BSD in schools on the example of 
Polux School success story. 


interview 


64 Interview with OpenBSD 

developer Damien Bergamini 

Federico Biancuzzi 
Federico Biancuzzi talks about WPA with Damien Bergamini, 
the developer who made a huge work for OpenBSD wireless 
subsystem. 


column 
66 Mac OS X the Other BSD 
Mikel King 


Mikel King introduces Mac OS X -— the other BSD. 
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Eldorado, Maximus and GSA 


During the last 20 years malware (malicious software) has 
been constantly evolving and security programs have evolved in 
parallel. We have seen boot sector viruses, parasitic file-infecting 
viruses, macro viruses, mass-mailing worms, stand-alone 
backdoors, password stealers and various types of Trojans. 

In the past two years we have seen better financed and 
organized malware development, possibly due to involvement of 
organized crime, but the other recent major development is the 
apperance of server-side polymorphism. Twenty years ago the 
lifespan of malware was measured in months, even years. Today, 
itis measured in hours. Dedicated servers distribute malware that 
changes every few minutes, faster than any anti-virus company 
can respond. Adding detection of each individual variant is of 
limited use, as it will no longer be in active distribution by the time 
the users of the anti-virus product receive the detection update. 

The approach the FPROT developers have taken is to 
increase the emphasis on heuristic detection, which detects 


NetBSD now has UDF write support 


Reinoud Zandijk has been working on support for the 
Universal Disk Format in NetBSD for quite some time, and 
in mid-May he reached another major milestone by adding 
write Support to NetBSD’s UDF file system. ‘It can now read 
and write files and directories on CD-R/RW, CD-MRW, DVD-R/ 
RW, DVD+R/RW, DVD+MRW, (USB) flash media and harddisc 
partitions. Media like lomega Rev should also work fine, he 
said. In fact, this means that within NetBSD you now can 
mount any UDF formatted media and use your favorite tools, 
like Cp, mv, rm, or even X11 file manager over it. 


New default license for NetBSD 

Following from a vote amongst the membership of the NetBSD 
Foundation and in recognition of the changing face of software 
licensing, the Foundation has changed its recommended 
license to be a two clause BSD license. Dropped clauses 
are the advertising clause and the “endorsement” clause (3 
and 4 respectively). We have seen organizations and people 
concemed about the old clause 3 in the license, to the extent 
where NetBSD code could not be used in commercial products; 
the new license means that these concerns are no longer valid, 
said Alistair Crooks, The NetBSD Foundation’s president. Also, 
the members of the NetBSD Foundation no longer considered 
clause 4 to be useful in today’s software world. 


Software News: 


Firefox 3- Released June 1/th. Just in case you've been living 
under a rock Firefox runs under the X Windowing System on 
all current versions of BSDs, as well as Mac OS X, Solaris, and 
of course Microsoft Windows. To download a binary version for 
your particular Operating System go to http://www.mozilla.com, 
however on most of the BSDs you will need to either install it 
from the ports or use pgksrc. OpenOffice.org 3.0- The public 
beta release of OpenOffice.org 3.0 is now ready for testing. This 


potentially malicious behaviour in advance — not requiring 
updates for every single new variant. FPROT pioneered heuristic 
scanning back in 1992, and over the years we have introduced 
various innovations, such as heuristics based on neural networks. 
The latest development in the FPROT engine has been the 
introduction of three independent heuristic engines, code-named 
Eldorado, Maximus and GSA. Those engines use fundamentally 
different methods and are maintained by different teams, with a 
bit of a friendly in-house rivalry. The goal is that by the end of 2008 
those three heuristic scanning engines will provide proactive 
detection of the vast majority of new malware — detect it as soon 
as it is released by the authors, without requiring any updates. 
It will never be possible to detect all malware proactively — any 
such claims are just iresponsible marketing hype, but Eldorado, 
Maximus and GSA will provide FPROT users with a significant 
level of protection. That is our goal. 


All third parties are allowed and encouraged to change 
any previously used NetBSD Foundation license to the new 
two clause NetBSD license. Updated NetBSD copyright and 
licensing terms can be found at http://www.NetBSD.org/about/ 
redistribution.html. 


Getting ready for best release 

The NetBSD source tree has been frozen in preparation for a new 
release. During the freeze period, no new functionality is being 
added to the tree, and only bug fixing is allowed. The pkgsrc, 
another major NetBSD project, has used freeze periods ever 
since it started making branches, in order to stabilize features 
in preparation for a stable branch. This practice has been 
successful over time, and now it was decided to try it for NetBSD 
releases too. AS soon as source tree entered into freeze period, 
the NetBSD Release Engineering Teem, who manages all stable 
branches, is controlling all commits. The Releng will also define 
how long the freeze will take. It is expected that the upcoming 
NetBSD 5.0 release will contain many interesting features, like 
improved threading and SMP. new kemel scheduler supporting 
real-time classes, write support for UDF Automated Testing 
Framework, EM64T/AMD64 and PAE support for Xen, as well as 
support for new hardware platforms and numerous devices. 

by Mike M. Volokhov 


beta release is made available to allow a broad user base to 
test and evaluate the next major version of OpenOffice.org, but 
is not recommended for production use at this stage. If you are 
a regular user of OpenOffice.org, here’s a great opportunity to 
help us make the next release the best ever. For more details, 
refer to the following URL: htto://www.openoffice.org/project/ 
marketing/3.0/announcementbeta.htm| 
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Update on the BSD Certification Group 


The BSD Certification Group has recently released the BSD 
Associate certification exam. This exam is the first in a series 
of exams that focus on BSD systems. The exam covers seven 
diverse knowledge domains- Installing & Upgrading the OS and 
Software; Securing the Operating System; Files, Filesystems, 
and Disks, etc. The complete list is on the website. 

The exam has been active since February 2008, and to 
date the exam has been held eight times in various cities 
in North America and Europe: Los Angeles, Ottawa, Krakow, 
Brussels, Toronto, Berlin, Ede, and Chemnitz. You might think 
that its an easy exam and everyone passes, but that isn’t the 
case. The failure rate is currently about 20%. 

Why is the failure rate so high? Without a doubt, its because 
people come to the exam expecting it to be a breeze and they 
find out its not. The exam tracks very closely to the objectives 
that were published by the BSDCG in October 2005, the 
distribution of questions is pretty evenly distributed among the 
above domains, and it covers the four BSD versions- FreeBSD, 
OpenBSD, NetBSD, and DragonFly BSD. 


The result? Its not a cake-walk. If you come to the exam 
with experience in a single version of BSD, you won't pass the 
exam. Comments from those who have taken it, said it was 
harder than | thought it would be and it made you think. 

Now that the exam is out, there are many projects that 
the BSDCG would like to get started, such as the BSD 
Professional certification. This certification will probe even 
deeper into complex administrative tasks that BSD system 
administrators have to perform every day- filesystem issues 
and access controls, process control, virtualization, multiple 
network configurations, firewalls, and so forth. The good news 
is that there is a rich load of material to draw on- BSD systems 
contain a wealth of well documented features, thanks to 
developers all over the world. 

The certification effort is community driven and everyone 
can help by spreading the word to local user groups, forums, 
schools and universities, etc. 

To find out more about how you can help visit the website 
at www.bsdcertification.org. 


Finally, Professional Support, Consulting, and Development for FreeBSD! 


iXsystems has announced the launch of its Professional 
Enterprise Services and Support Division for FreeBSD and 
PC-BSD. We feel that offering Professional Level Support 
for FreeBSD and PC-BSD is one of the main barriers 
that the platforms face to expand adoption. While there 
may be some companies that are capable of supporting 
them, there are none, to my knowledge, currently offering 
services and support on an Enterprise Class level specific 
to FreeBSD and PC-BSD, says Matthew Olander, CTO of 
iXsystems. This is a barrier we are happy to remove. The 
service and support offerings will include customer Support 
as well as customized offerings across a wide range of 
issues such as installation support, large deployments and 
kernel tuning. 

It is also worth noting that iXsystems decided to open 
its Own support center in the Midwestern United States as 
opposed to using an outside customer service firm. This 
has a number of advantages that company officials believe 
will enhance customer satisfaction. We have in-house 
professionals who have been working on various levels of 
the FreeBSD and PC-BSD projects for a very long time, who 
will be much more concerned about providing successful 
solutions for our customers and much more responsive 
than an outside firm, explained iXsystems CEO Michael 
Lauth. 


A FreeBSD Laptop with Everything (mostly) Working? 
In addition to launching its Support division, iXsystems is 
currently putting the finishing touches on the Invincibook, a 
FreeBSD compatible laptop that will soon be available. The 
Invincibook is made with an anti-shock mounting design that 
protects the LCD and Hard Drive from damage and data 
loss. Additionally, it is water resistant to protect the internal 


components from accidental spills. The Invincibook will ship 
with Fibonacci, the upcoming release of PC-BSD, a powerful 
OS running FreeBSD 7 under the hood and featuring a 
powerful GUI for graphical system installation. PC-BSD 
installs applications via the Push Button Installer (PBI), a 
graphical utility to remove and install software in a simple to 
use, self-contained format. 

PC-BSD Fibonacci Edition also features various new server 
tools and enhancements including speed improvements with 
the ULE Scheduler, experimental ZFS support during install, 
and UFS Journaling through GEOM. 


Who are these Guys? 
Formerly BSDi’s hardware division, iXsystems, Inc. is a premier 
builder of FreeBSD-certified servers, storage, and related 
products. iXsystems develops custom hardware solutions that 
address a company’s technical and budgetary needs within 
their specific network architecture. 

OS compatibility is a key component of iXsystems’ Open 
Source Hardware Design process. This means that they will 
work backwards to develop a custom solution ideal for the 
customer, instead of requiring the customer to compromise 
their specific hardware requirements and limit their choice of 
OS to fit within the parameters and specifications of a product 
line. 

ixsystems is also the corporate sponsor of the PC-BSD 
Operating System and recently acquired FreeBSD Mall and 
BSD Mall, two providers of high quality BSD software, apparel, 
and literature. For more information visit the iXsystems website 
at http://www.ixsystems.com. 
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OpenBSD 4.3 


This is a partial list of new features and 
systems included in OpenBSD 4.3. For a 
comprehensive list, see the changelog 
leading to 4.3. 


New/extended platforms: 


OpenBSD/sparc64 SMP support. - 
This should work on all Supported - 
systems, with the exception of the - 


Sun Enterprise 10000. 


OpenBSD/hppa K-class servers like - 


the K200 and K410 are supported 
now. 

OpenBSD/mvme88k SMP support 
on MVME188 and MVMET88A 
systems. 88110 processor, and thus 
MVME197LE/SP/DP boards, are 
Supported now. 

OpenBSD/sgi Contains many new 
drivers, however the kemel requires 
an important errata fix. 


New tools: 


snmpd(8), implementing the Simple 
Network Management Protocol. 

The snmpctl(8) program controls the 
SNMP daemon. 

The pcidump(8) utility displays the 
device address, vendor, and product 
name of PCI devices. 

Idattach(8) is used to attach a line 
discipline to a serial line to allow for 
in-kernel processing of the received 
and/or sent data. 


For more information about OpenBSD 4.3 
please visit http://www.openbsd.org/. 


Ampache 3.4.1 


Ampache is a Web-based Audio file 
manager which is implemented with 
MySQL and PHP It is one of the oldest 
applications of that type. Ampache’s goal 
is to maintain a secure and fast web front 
end that will run on platorm that supports 
PHP and any hardware. It allows to create 
user accounts and share the music with 
other Ampache servers. It also allows 
you to modify your audio files via the web 
and it has support for playlists, album 
art, artist and album views, playback 
via Http/On the Fly Transcoding and 
Downsampling, Integrated Flash Player, 
Vote based playback, Icecast and Mpd, 
as well as per user themes and song 
play tracking. Ampache also provides an 


API for pulling out meta data in the form - 


of XML documents. 
The latest version — Ampache 3.4.1. 
contains many changes such as: 


Complete re-write in PHP5, 
AJAX’d interface, 

Active Playlist concept added, 
XML API, 

Dynamic Playlists, 

vastly improve browsing system. 


For more infrmation please see: 
http://www.ampache.org/ 


DragonFly 1.12.2 
DragonFly is 
an operating 
system and 
environment 
originally 
based on FreeBSD. 
DragonFly branched 
from FreeBSD in 2003 
in order to develop 
a radically — different 
approach to concurrency, SMP. and most 
other kernel subsystems. 

DragonFly belongs to the same class 
of operating system as BSD and Linux 
and is based on the same UNIX ideals 
and APIs. DragonFly gives the BSD base 
an opportunity to grow in an entirely 
different direction from the one taken in 
the FreeBSD, NetBSD, and OpenBSD 
series. 

For more infrmation about 1.12.2 
release please visit: 
htto://www.dragonflybsd.org/community/ 
release1_12.shtml 


MirBSD 

MirOS BSD is a secure computer operating 
system from the BSD family for 32-bit i386 
and sparc systems. It is based on 4.4BSD- 
Lite (mostly OpenBSD, some NetBSD). It 
is a derivative of OpenBSD. Source code 


from OpenBSD is regularly imported and_ - 


merged. MirOS BSD often anticipates 


bigger changes in OpenBSD and includes - 


them before OpenBSD itself. For example, 


ELF on i886 and support for gcc3 were - 


available in MirOS first. Controversial 
decisions are often made differently from 


OpenBSD; for instance, there won't be - 


any support for SMP in MirOS. The most 
important differences to OpenBSD are: 
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Completely rewritten bootloader and 
boot manager without an 8 GiB limit 
and with Soekris support 

Slim base system (without NIS, 
Kerberos, Bind, i18n, BSD games, 
etc.), Bind and the BSD games being 
available as a port 

Binary security updates for stable 
releases 
ISDN support 
IPv6 support 
software 

wtf, a database of acronyms 

Some of the GNU tools (like gzip and 
*roff) were replaced by original UNIX 
code released by Caldera 


in the web server 


For more infrmation please see: 
http://www.mirbsd.org/main.htm 


F-PROT Antivirus for BSD 
Workstations 

For home users using the BSD open- 
source operating system, we_ offer 
F-PROT Antivirus for BSD Workstations. 
F-PROT Antivirus for BSD Workstations 
utilizes the renowned F-PROT Antivirus 
scanning engine for primary scan but 
has in addition to that a system of internal 
heuristics devised to search for unknown 
viruses. 

FPPROT Antivirus for BSD was 
especially developed to _— effectively 
eradicate viruses threatening workstations 
running FreeBSD, NetBSD, or OpenBSD. It 
provides full protection against macro 
viruses and other forms of malicious 
software — including Trojans. 

F-PROT Antivirus for BSD Workstations 
is FREE for Home Users 

F-PROT Antivirus for BSD Workstations 
is FREE for use by personal users on 
personal workstations 


Features 
F-PROT for BSD Workstations features: 


Scans for over 1001738 known 
viruses and their variants 

Ability to perform scheduled scans 
when used with the Unix cron utility 
Scans hard drives, CD-ROMS, 
diskettes, network drives, directories 
and specific files 

Scans for images of boot sector 
viruses, macro viruses and Trojan 
Horses 


If you have encountered any problems with DVD, please write to: cd@software.com.pl 
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OpenBSD 4.3 


Installation& Configuration 


Gilles Chehade 


This issue of BSDMAG comes with a DVD containing the installation program for the 
OpenBSD 4.3 operating system. This article will help you go through the installation 
process and first steps at configuring and making use of this increasingly popular system. 


penBSD is one of the four major BSD systems and 
follows the long tradition of giving away quality 
software without any strings attached. It is known 
for having a strong goal of security and advertising 
only two remote holes in the default install in more than ten 
years, but to be honest this is a side effect of a strong focus 
on keeping the code clean and not accepting dirty hacks for 
convenience. In the last few years, with other systems accepting 
to incorporate more and more closed-source objects (also 
known as blobs) in their systems, OpenBSD has gained another 
reputation of strong commitment to free software by refusing 
to sign non-disclosure agreements, removing support for non- 
friendly vendors and reverse-engineering drivers when other 
systems accepted the closed drivers provided by vendors and 
eventually made their integration easier This is a rather short 
description but there are plenty of goals and going through all of 
them would probably make an article by itself. 
So, let's get started with the installation ! 


Installation 

OpenBSD has a reputation of having a very difficult installer 
for those who are used to the so-called modem GUl-based 
installers. In practice, despite the fact that it is console-based, 
the installation process is very easy if you take time to follow 
the instructions that are available in the FAQ and on-screen 
as installation goes on. After you are familiar with the very few 
steps, you will be able to perform complete installs in just a few 
minutes and amaze your friends. 


Getting the media 

OpenBSD is as free as can be and you can download it from 
the several FIP HTTP AFS and RSYNC mirrors listed on the of- 
ficial website; however it is strongly encouraged that you buy 
yourself a cd set as it is the main source of revenue for the 


project. Also, they are cool looking and come with stupendous 
stickers. To start installation, boot your computer on the DVD. 
You will be facing a boot prompt which is the entry point for you 
either to boot the system or the installer. You can simply press 
enter or wait for the bootloader to boot the default image. The 
installer will then load the kernel and you will see a lot of lines 
scrolling with information as to which devices were found or/ 
and supported. After that, the following prompt will appear: 
I)nstall, (U)pgrade or (S)hell? <i> 

The options are quite self-explanatory, you can proceed to install 
by simply typing ‘i’. Next prompt will request for terminal type 
and keyboard mapping: 
[vt220 | 


Terminal type: <enter> 


kbd (8) mapping? ('L' for list) [none] <enter> 
Again, no dark magic, the terminal can be left to default if you 
are not doing the intall in a weird setup (from another machine 
connected to the setup machine through a serial cable for ex- 
ample). The keyboard mapping is up to you for obvious reasons, 
default will be an US qwerty. Even though | am a froggy, | happen 
to have a qwerty so no need for fr in my case. Make sure not to 
use any incorrect mapping or you may end up in an uncomfort- 
able position when requested to enter a password. 

The installer will then remind you that the install process is 
a destructive operation and that you should do backups. Seri- 
ously, do it. 
Proceed with install? [no] <y> 
Next step is where things get trickier and where reading 
skills are required in order not to break things. First, you are 
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prompted for the disk you will be install- 
ing OpenBSD on: 
Available disks are: wd0 
Which one is the root disk? 


[wdO } 


(or done) 


<enter> 


In this case | only have one disk so the list 
of available disks is pretty short. Once you 
validate the disk, you are asked if the disk 
will be fully dedicated to OpenBSD or not. 
Replying no will drop you into the fdisk util- 
ity where you can manage your partitions. | 
have not done a dual boot in years so | can 
only suggest you read the OpenBSD FAQ 
which explains the steps to do so, but to 
summarize you need to select which parti- 
tion to use, set its tyoe to A6 (OpenBSD) 
and write the MBR. These are three com- 
mands | will leave as an exercise to you. 

After the disk has been selected (and 
eventually partitions set up), we will be 
dropped into the disklabel utility to slice 
the disk and define the mount points: 
Initial label editor (enter '?' for 
help at any prompt) 


> 


The help menu here should be sufficient 
to get you going, but to make it even more 
simple, here is the hint: 


(a)dd a slice 
(d)elete a slice 
(p)rint informations regarding the 


slices 


Each time you add a slice, you are 
prompted for information regarding the 
slice: 


> <a> 
name: [a] <enter> 
offset: [0] 


[78 less60) 


<encer> 
size: 80M 
Rounding to cylinder: 164304 


FS type: [4.2BSD] <enter> 


mount point: [none] / 


> 


It is recommanded that you create slices 
for /, /home, /usr, /var, /tmp and the swap 
though as long as you have a / slice 
OpenBSD should be happy. The sizes 
are really up to you and very dependent 
of what you plan to do with your system. 

Keep in mind that if you create all the 
recommanded slices, / will not be very 


populated, /usr will be growing with each 
third party application or library you install, 
/var Will be growing with each email, logs 
and runtime data that are going to be writ- 
ten to disk (runtime data includes databas- 
es if you plan on installing a package such 
as postgresql & friends). It is not too im- 
portant that you get partitions right, but it is 
important that you do not get them wrong 
as it is easier to deal with adding a new 
slice than to deal with a disk full error. So, 
try to think from the beginning about what 
your computer will do and make sure each 
slice has enough space to work with. 

There are no standard sizes, but if you 
create the five (+ swap) recommanded 
slices, a good rule is to have: 
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/ ve 150MB as there is not really 
any need for more — swap be close 
enough from your memory size so 
that in a worst case scenario where 
your kemel would crash, the core 
could be written on disk 

/tmp, this depends on your needs for 
temporary files, usually it can remain 
quite small; | usually make them 
128MB and consider them already 
way too big. 


The remaining space has to be bal- 
anced with your need to provide users 
with space for their home directories, 
your need to use third party applica- 
tions and/or get a copy of the OpenBSD 


Configure the network? [yes] <enter> 

Available interfaces are: rl0. 

Which one do you wish to initialize? (or 'done') [rl0] <enter> 
Symbolie (host) mame ror r10? | lappy] <enter— 


The media options for rlO are currently 


media: Ethernet autoselect 


Do you want to change the media options? 


LPv4 address: for rilG? (or 


Vigkelars)/ (one 


(100baseTX full-duplex) 


[no] <enter> 


Tanep dite 


Issuing hostname-associated DHCP request for rl0. 


DHCPDESCOVER om elO EO Zoo. 255.2552 55 POLE OF siiltet yc il 


DICPORPEER trom E92. 16s 2051 


DACEPROUMST som ri) reo 255.255. 255922755 port oF 


DEHCEACK itrcom 192 .,168.,0.,1 
bound to ol lige. 0 242 


-- renewal in 1800 seconds. 


iPy6 address wor cl02 (or rEsol” or “ricne, ) Vinome| enter 

No more interfaces to initialize. 

DNS demain neme? (e.g. “bar.com"') [my.domaim| poollp org 

DNS nameserver? (IP address or 'none') [192.168.0.100] <enter> 
Use the nameserver now? [yes] <enter> 

Default route: (IP address, “dhcp" or 'nome") [dhep] <enter> 
Edit hosts with ed? [no] <enter> 

Do you want to do any manual network configuration? [no] <enter> 


Listing 2. Useradd comand live 


# useradd -s /bin/sh -d /home/gilles -m gilles 


# userinfo gilles 


login gilles 
passwd  * kk kkk RRR KKK 
uid 1000 

groups users 

change NEVER 

eiaes 

gecos 

(elaine /home/gilles 
shell Y Dany Shi 
expire NEVER 

# 
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source tree (installed in /usr/src), and 
your need to store email, databases, 
logs, websites, and other random data 
in /var. No one can make the choice for 
you, yOu are On your own. 

Once we are done with the slicing, 
we only need to save and quit disklabel 
to go on. That is respectively the (w) rite 
and (q)uit commands. This was the 
trickiest part of the installation process: 


> <w> 


> <a> 


Next step will have us confirm our slices 
and make sure we want to proceed to the 


Listing 3. Exit the installation 
# exit 
OpenBSD/i386 


(lappy -ooclps org) 


logan: gGaliles 
Password: 
(GENERIC) 


OpenBSD 4.3 #848: 


Please use the sendbug (1) 


Before reporting a bug, 


version of the code. 


KNOWN dix EOr 1 exists, 


SP lye 


uid=1000 (gilles) 
$ 


gid=10 (users) 


I am logged as =gilles'', 


S sudo ad 


AN@limaLiMIL Sie SON < 


#1) 
#2) 
#3) 


Think before you type. 


Password: <I1lUvBsD42> 


uid=0 (root) gid=0 (wheel) 


S(Operacor), ZO(starn),. sl(gquest) 


S 


With bug reporters, 


groups=0 (wheel), 


formatting of our slices which will erase 
disk content: 

The next step *pzEstroys* all existing 
data on these partitions! Are you re- 
ally sure that you are ready to proceed? 
[no] 

Then the installer will set up its slices in 
an operation that takes more or less time 
depending on slice’s size. When done, you 
are prompted for the system hostname: 


<y> 


System hostname (short form, e.g. 


"Too'): <lLappy> 
Since the installer allows installation 
through other media than a CD or DVD, 


(ese Oh) 


Tue Apr 29 20330706 MPT 2006 


Welcome to OpenBSD: The proactively secure Unix-like operating system. 


utility to report bugs in the system. 
please try to reproduce it with the latest 


please try to ensure that 


enough information to reproduce the problem is enclosed, and if a 


include that as well. 


groups=10 (users) 


let's see if I can issue commands as root: 


We trust you have received the usual lecture from the local System 


It usually boils down to these three things: 


Respect the privacy of others. 


With great power comes great responsibility. 


Z2(kmem)Ge S(syay,) 4 tey), 
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like an ftp server for example, the net- 
work can be configured at install time. 
The configuration will be saved so that 
there is nothing to do post-install. Here 
| will use DHCP, but the configuration 
of a statically assigned IP address is 
straightforward: see Listing 1. 

At this point, the network is configured 
and you are already able to ping the pc 
from another computer if you want to. Be- 
fore going further, we are prompted for the 
root password: 


Password for root account? (will not 
echo) 
Password for root account? (again) 


Make sure to use strong passwords, a 
mix of alohanumeric and punctuation is 
a minimum. 

The last steps are selecting the install 
media: 


Location of sets? (cd disk ftp http or 
done) [cd] <enter> 

Available CD-ROMs are: cao 

Which one contains the install media? 
(or done) [cdo] <enter> 

Pathname to the sets? (or done) [4.3/ 
1386] <enter> 

A list of sets is then displayed and we are 
prompted: 


Set name? (or done) [bsd.mp] <*> 
[list of all selected packages] 
Set name? (or done) [osd.mp] <done> 


Unless you know what you are doing, which 
would be doubtful if you are reading this far, 
you should install all sets. Not all are re- 
quired, but OpenBSD is small enough that 
you do not need to go through the hassle 
of figuring out what is needed and what is 
not. A description of sets is available in the 
FAQ. If you still want to minimize the install, 
however keep in mind that a full install in 
OpenBSD is not at all the same than a full 
install on some other systems, a full install 
will not get you a multimedia player, ten text 
editors and twelve compilers. It will only 
install applications which are part of the 
OpenBSD base system. 

As soon as you type done, the sets 
will start extracting. It should only take a 
few minutes depending on your system. 
Finally, the installer will prompt just a few 
questions regarding which services to 
start at boot time and your timezone: 


Start sshd(8) by default? [yes] <y> 
NTP server? (or none Of default) 
[none] <default> 

Do you expect to run the X Window 
System? [no] <y> 

What timezone are you in? (2 for list) 


[Canada/Mountain]? <Europe/Paris> 
After a few seconds you should see: 


CONGRATULATIONS! 

Your OpenBSD install has been suc- 
cessfully completed! 

To boot the new system, enter halt at 
the command prompt. Once the sys- 
tem has halted, reset the machine 
and boot from the disk. 

+ <halcS 


That is all, OpenBSD is now installed and 
| will be able to log into it right after | issue 
a reboot. It took me what, five minutes ? 
Talk about an unfair reputation. 


Post installation 

Creating an account. After | boot for the 
first time on my brand new system, the 
following prompt welcomes me: 


OpenBSD/i386 
(tt yco) 
login: 


(lappy,poolp.org) 


| can now log in as user root to start set- 
ting up the system. First thing to notice is 
that | got mail and that | am prompted for 
a terminal type. No need to argue, | will 
accept the default 


You have new mail. 
Terminal type?: [vt220] vt220 
4 


In case you cared, the mail was from 
Theo de Raadt, OpenBSD’s project lead- 
er. A lot of useful information was in it. | 
would be happy to sum it up, but | guess 
it would spoil your fun. Now that | am 
logged in as root, first thing to do is create 
myself an account so that | can stop be- 
ing logged as root. There are (more than) 
two tools which will allow me to do that: 


adduser IS an interactive utility, a perl 
script if you are curious 
useradd IS @ command line utility 


Both will get me through my goal of setting 
up an account, but they use different inter- 


face so it really is a matter of taste. Since 
| am not a big fan of interactive tools, my 
example will use useradd and you will get 
to read a couple man pages [adduser (8), 
useradd(8)] to see what other options | 
have not told you about. Happy? You'd bet- 
ter be, because in OpenBSD-land you will 
be reading a lot. See Listing 2. 

Here, | only created the account 
gille’ and specified it is shell and 
home, the -m option being to force 
creation of the home directory in case 
it does not exist. userada has plenty of 
configuration options to ease account 
creation. One could for example set up 
an expiry time for account or password, 
or even a user class or group. the user- 
info can, amongst other things, display 
a short summary with all information 
regarding a particular account. There 
is more use to it, but guess what ? Yup, 
[userinfo (8) ] 

For now, we do not really care about 
all this, all we want is to log in as user 


Listing 4. Interface name 
oe oming 


keto 


Groups = lo 
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gilles and leave root GS SOON AS POs- 
sible. To do so, | lack a password: 


# passwd gilles 

Changing local password for gilles. 
New password: <£foo> 

Please enter a longer password. 

New password: <£00123> 

Please use a more complicated 
password. 

Please use a different password. Un- 
usual capitalization, 

control characters, or digits are sug- 
gested. 

New password: <1iuvBsD42> 

Retype new password: <1luvBsD42> 

# 


In the example above, the passwords 
enclosed in <' ana '> did not show up 
on the terminal, however now that you see 
what | typed, you get to realize that a strong 
password policy is enforced by the passwd 
utility. It must not be too short, it must not 


flags=8049<UP, LOOPBACK, RUNNING, MULTICAST> mtu 33208 


iiaesic I2Z7,.0.,0.1 mermasik Oxsakr00ooo 


inet6 ::1 prefixlen 128 


inet6 fe80::1%100 prefixlen 64 scopeid 0x3 


sag OR 
tiladdr O0-+19:21:4c:6e: eb 
groups: egress 

media: 


status: active 


Ethernet autoselect 


flags=8843<UP, BROADCAST, RUNNING, SIMPLEX,MULTICAST> mtu 1500 


(l00baseTX full-duplex) 


imec 192 6s ,0.42 netmask Oxtrrrri00 broadcast. 1927160 .05255 
inet6 fe80::219:21ff:fe4c:6eebsrl10 prefixlen 64 scopeid Oxl 


encO: flags=0<> mtu 1536 


pflogO: flags=141<UP, RUNNING, PROMISC> mtu 33208 


Groups = piled 


Listing 5. Configure the network 


EOr dine p: 
S sudo tesh 
# echo "dhcp" > /etc/hostname.rl0 
# exit 


$ 


for my statically assigned address: 


S sude tesh 


+ CCho 


f @Xit 


$ 


Wimets 192. bose U4 2255 2255.7 55 O0NONh \e/ ere, ioesename 7 LO 
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be too easy, it must be a real password. 
Obviously there is a way to get around this, 
but that kind of trick | will not tell you. 

Now, | am able to log out from root 
and login in as user gilles, but | still 
need to do one last thing. Since being 
logged in dS root iS unsafe, and since 
my main account iS gililes, | will config- 
ure the sudo utility to give me the ability 
to execute privileged commands as user 
gilles. The command visudo will allow 
me to edit the sudoers file. 


# visudo 


This will launch a text editor vi by default, 
and by adding: 


gilles ALL=(ALL) SETENV: ALL 
in the User privilege specification section 
of the file, | will be able to execute 
commands as root by prefixing them with 
sudo. Beware that executing commands 
through sudo is not safer than executing 
them through root, but this forces you to 
ask yourself the question do | really want 
to do this? every time you start typing sudo 
in your shell. 

Now is time to kiss root goodbye! (see 
Listing 3) 

It seems to work pretty well. Note 
that there is a way to disable the 


Listing 6. The list of ports 


S make search name="tcsh" 


Listing 7. etc/vc.conf file 
aes 
httpd_flags=NO # for normal use: 


# FOr normal wse: 


ered 


Port: ECcn—6. 15.00 

Patti: shells/tcsh 

Ibignaeys extended C-shell with many useful features 

Marne: ihe OpenBSD ports mar ling-liste <porrstopenbsd.onrg- 
Index: shells 

L-deps: 

B-deps: 

R-deps: 

Meehs > any 

S 


# use -u to disable chroot, see httpd(8) 


'—L a si—Mta. =o .-coUmN', eng NOLe Ehere 1s 7a .eren Job 


sendmail tlags—="-ii sm-—mear —C/etc/mall/localhose..cn =bd =q30m" 


password prompting, but keeping it 
makes it annoying enough that you 
do not end up doing sudo commands 
all the time. It forces you to think about 
what you are doing in your session 
instead of blindly prepending sudo 
everywhere, as a side effect a session 
that you would forget to lock will not 
make your system compromised. A 
user that shares your computer and 
attempts to brute force your sudo 
account will trigger mail being sent 
tO root. We will later see how to alias 
the root account to my unprivileged 
account as root happens to receive 
mail we DO care about. 


Just a few words before we go further 
As | said in previous’ section, in 
OpenBSD-land we get to read da lot. 
This is a habit that is kind of strange 
to newcomers who are used to having 
their hands herd and being walked from 
a problem to its solution. However, in 
OpenBSD-land you do not get helped 
if you do not try to get to a solution by 
yourself. Since a lot of work is done 
on keeping documentation up-to-date, 
the first step to a solution is often to 
start reading the documentation that is 
shipped with the system. 

Why do | mention this? Well, the very 


first thing you get to do when booting your - 


Ce (On "Desi ahrenr reascrng —sSil(o)) 


BSD 2/2008 


OpenBSD system and logging in to your 
account is to actually read a man page 
[afterboot (8) ]. It holds a description of 
the first checks to perform after the first 
boot. It will tell you about files that were 
configured during installation as well as 
files and commands that you should re- 
ally know how to use as soon as possible. 
Since repeating its content here would be 
a waste of bytes, | will only suggest that 
you read it and follow the pointers to other 
man pages that are in the "READ ALSO” 
section of the man page. 


Configuring the network 
One of the first thing you will want to do 
is configuring the network since you will 
probably want to interact with the rest of 
the world. Depending on your network 
configuration, this is going to be easy, or 
Super easy. First of all, you will need to 
know your interface name: see Listing 4. 
Here, my interface is r10 (100 being 
the loopback interface, enco and pflogo 
being of interest to you only when you 
will be familiar enough that you will want 
to setup ipsec or pe). This means that my 
network card is attached to the rl driver 
[r1 (4) ]. Good, now: 


If | have a DHCP server. s sudo dh- 
client rl0 

lf | want to statically assign my 
address: s r10 
192.168.0.42 


sudo LEConng 


The changes are not permanent and 
to make sure they are kept after the 
next reboot, all that is required is to 
write them to the /etc/hostname.r1o file 
which will be read at boot time. For each 
interface you want to configure, a /etc/ 
hostname.<interface> file should exist with 
the configuration written in it (Listing 5). 

lf we go for DHCP there is nothing left 
to do. If we go for the statically assigned 
address, we still need to configure the 
gateway and nameservers. Configuring 
the gateway is simple: 


S$ sudo route add default 192.168.0.1 
and to make the change permanent: 

S$ sudo tcsh 

# echo "192.168.0.1" > /etc/mygate 
# exit 


$ 


Nameservers are configured in the /etc/ 
resolv.conf file: 


S$ sudo vi /etc/resolv.conf 
search poolp.org 
nameserver 192.168.0.2 
nameserver 192.168.0.3 
lookup file bind 

$ 


Once you get more familiar with the sys- 
tem, you can run the shipped named server 
and configure your system to use its own 
name server. 

Wi-Fi is slightly more difficult, you 
must.. no, actually in OpenBSD Wi-Fi 
is configured using ifconfig which rec- 
ognizes a few additional Wi-Fi-specific 
options. | would love to put an example, 
sadly | do not have wifi so you will have to 
trust my word. 


What is in OpenBSD 

Now that we have a network, let's see 
what tools we have at hand and even- 
tually install from the Internet additional 
software. 

Contrary to popular belief, OpenBSD 
comes with many tools which makes it 
usable out of the box to achieve many of 
the goals you would expect from a UNIX- 
like system: 

OpenBSD can be configured as a 
simple firewall with simple rules to block 
incoming and outgoing traffic, just as 
it can be used to control bandwidth or 
provide high availability redundant setups, 
multihoming or ipsec gateway. It is the 
system of choice to use as a gateway 
between a network and another a very 
robust system with advanced network 
related features. 

It can also be configured as a 
server for a wide variety of services 
including http, smtp, dns, dhcp, pop, 
fto, ssh, nto, and more... Services are 
integrated and for the most part will run 
out of the box if you enable them as will 
be shown in this article. Services which 
cannot work out of the box because 
they require specific configuration 
come with examples that will allow an 
unfamiliar admin to get them running 
in minutes. It should also be noted that 
most of these services are either writ- 
ten by OpenBSD hackers or are modi- 
fied to improve their overall security 
with techniques that have proved to 
be efficient such as privilege separa- 
tion and chrooting, privilege dropping, 
use of safe alternatives to potentially 
dangerous code constructs, and so on. 


Some services are even able to coop- 
erate with the packet filter to provide 
elegant solutions to problems which 
usually force admins to rely on hacks, 
such as ftp-proxy, soamd or relayd. 

It makes a great development station. 
Xorg is available by default in a more 
secure OpenBSD-ized version. vi and mg, 
an emacs-like editor, are there out of the 
box, as are cvs, gcc, gdb and more. The 
documentation is probably the best out 
there with every function documented, 
some even providing examples of correct 
and incorrect uses. It is not rare that | rely 
on OpenBSD man pages while develop- 
ing for Linux, and | know of many people 
with the same habit. 

As you can see, the system comes 
with a set of applications which are avail- 
able out of the box and which will allow 
you to do quite a few things in many 
areas without having to install third party 
applications. 


Ports and packages 
Atsome point, you will feel limited because 
you need a particular tool to do your job, 
or you will miss an application you are 
familiar with and which does not ship with 
the system. | tried a lot in the past to limit 
myself to base applications but in the end 
| always end up needing something that’s 
missing. Fortunately, OpenBSD provides 
two mechanisms to ease the installation 
of third party applications and have them 
installed and running painlessly: packages 
and ports: 

Packages are a collection of archives 
containing software and libraries that 
are under a license which allows the 
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OpenBSD project to host them on a public 
fto server and redistribute them. This does 
not necessarily mean that they are free 
software, it only means that they are 
software that is allowed to be distributed. 
Packages are managed through a set of 
commands: 


pkg_add, pkg delete and pkg info 


Actually there is more, but by now you 
should be use to me telling you to read 
man pages. 

To install a package, you need to tell 
pkg_add where to find it. This is done by 
setting the exc patTx environment variable 
to the ftp directory that contains the pack- 
age you want to install. A list of these serv- 
ers is available at [1]. Since we want to be 
nice to with the main server and we want 
the application to install fast, | will chose 
a server that’s geographically close to me, 
ftp.arcane-networks.fr, to install the screen 
utility that | like so much: 


$ export PKG PATH= 
ftp://ftp.arcane-networks.fr/pub/ 
OpenBSD/4.3/packages/i386/ 

$ sudo pkg_add screen 

Ambiguous: screen could be screen- 
4.0.3pl1 screen-4.0.3pl-shm screen- 


4,0. 30l=static 
$ 


The pkg_ada utility detected that there are 
3 different packages for screen, and it is 
up to me to decide which one | will want 
to use. In this case, | do not really care 
about the various versions and will go for 
the default: 


Sw 


KDE 3.5 
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$ sudo pkg add screen-4.0.3p1 
screen-4.0.3pl1: 


$ 


complete 


Just note that usually, the existence of 
more than one flavor of a package is 
an indication that you should educate 
yourself as to what the different versions 
do. In many occasions, a flavor is here to 
compensate for the lack of an option in 
the default package. 

Whoops, what | really wanted was the 
-Static flavor No problem, uninstalling it is 
simple and will clean up every file that 
was created at install time: 


$ sudo pkg delete screen 
screen-4.0.3pl: complete 
Clean shared items: 


$ 


complete 


Now | install the right version: 
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5 sudo pkg add screen-4.0.3pl-static 
screen-4.0.3pl-static: 


$ 


complete 


The screen example is simple because 
it does not have dependencies, but to 
be honest it does not make a difference 
OS pkg_add resolves and installs all of the 
dependencies transparently. 

Unlike packages, ports are a 
collection of Makefiles that are organized 
in a hierarchy of directories (typically 
under /usr/ports) and which allow you 
to download, build and install any of the 
(slightly more than) 5000 ported software 
and libraries by typing make install in the 
appropriate directory. To obtain the ports, 
you need to download the ports.tar.gz 
archive that is available on every mirror, or 
use cvs. There is not really any advantage 
to use ports if a package already exists 
for the application you want to install as 
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Call For Testers - PF internals redesign 
Contributed by jason on Mon May 26 13:36:59 2008 (GMT) 
from the your-firewall-will-stil-respect-you-in-the-morning dept. 
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lappy:gilles {17} sudo pkg_add mplayer 
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Ambiguous: mplayer could be mplayer-1.6rc2p6 mplayer-1.6rc2p6-no_xll mplayer-1.0rc2p6-sdl 


lappy:gilles {18} sudo pkg_add mplayer-1.0rc2p6 

cdparanola-3.a9.8p6: complete 

speex-1.2beta3: complete 

xvidcore-1.0.3p0: complete 

mplayer-1.0re2p6: complete 

-- mplayer-1.0rc2p6 

This package may need further setup. Run “pkg_info mplayer" to find out more 
and be sure to read the package description carefully 

lappy:gilles {19} B 
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building the port will result in the package 
itself. Ports are handy when you are dealing 
with situations which cannot be solved by 
packages, for example if you need to build 
with a particular option, or if the application 
has a restrictive license that does not allow 
OpenBsbD to distribute a package. 

To install the ports subsystem, you 
need to extract the ports.tar.gz that you 
will find on every mirror inside /usr/ports: 


S sudo mkdir /usr/ports 

S ftp ftp://ftp.arcane-networks.fr/ 
pub/OpenBSD/4.3/ports.tar.gz 

© Sudo tar =C /usr/ports <zapr +/ 
ports. tar.gz 


$ 


This will create the ports hierarchy where 
application are classified by category. For 
example, if | wanted to install the tcsh 
Shell, | would issue d make 
/usr/ports/shells/tcsh/ which would in 
tum download the source for tcsh from a 
master site, compile it, create a package 
out of it, and install the package like we 
have seen earlier The list of ports is in 
/usr/ports/INDEX Which can be parsed 
easily from the command line or searched 
through with make commands, for 
example: Listing 6. 

With this knowledge, you should al- 
ready be able to customize your OpenBSD 
system and set up an environment that you 
will enjoy working in within a few minutes. 


install in 


Basic administration 

X configuration — | am pretty sure you want 
X running by now. OpenBSD ships with an 
Xorg and you should not need any con- 
figuration as settings are auto-detected. 
The only thing you may want to do if the 
default window manager, fvwm2, does not 
Suit you is to install the window manager 
of your choice: 


$ sudo pkg add ion 
Lon=Z0070318pl1: 
S) 


complete 


Then if you do not plan to use xdm, add the 
command line to your ~/.xinitrc file so that 
starting X will start the window manager. 


S echo /usr/ local /bin/ion3s > «/ 


.Xinitre 


X can now be started with the well known 
command: 


On the ‘Net 


[0] The OpenBSD project: htto:/www.openbsd.org/ 


[1] FAQ: http:/www.openbsd.org/faq/ 


[2] Goals: http:/www.openbsd.org/goals.html 


[3] Mailing lists: http:/www.openbsd.org/mail.html 


S startx & 


Making changes to user account 
— Sometimes you may need to change 
some of the settings for your account. | 
like the tcsh shell which is not shipped 
with OpenBSD, so how do | change from 
the /bin/sh Shell that | got when | created 
my account to the /usr/local/bin/tcsh 
shell that | got from running pkg add 
tcsh? 


S chpass -s /usr/local/bin/tcsh gilles 
or: 
S chpass 


When invoked without parameters, the 
chpass Command will launch a_ text 
editor which will allow me to change a 
few settings such as my name (as will 
appear in /etc/passwa, finger output and 
automatic filling from various mail clients) 
or shell. 


Starting daemons 

lf you are familiar with other Unix(-like) 
systems, you probably know that most 
administrative files are stored in the /etc 
hierarchy. 

Files that are of particular interest 
are the rc files which are used to decide 
what will or will not be done at boot (and 
reboot) time by the /etc/rc script. 

First file to take a look at is /etc/ 
rc.conf Which holds a series of knobs to 
enable and disable services at boot time. 
For example: see Listing 7 

The /etc/rce.conf file ends up with 
the inclusion Of /etc/rc.conf.local if 
it exists. The smart way of doing things 
is to override the variables we want 
changed in /etc/rc.conf.1local and not 
making any changes to /etc/rc.conf SO 
that they do not get overwritten during 
next upgrade. So, if | were to enable 
httod and disable sendmail, | would 
simply add the following lines to /etc/ 


re,cont. locads. 


hetpd tlags="" 


sendmail flags=NO 


Obviously, OpenBSD cannot (and would 
not) take into account inside /etc/rc.conf 
every single service that are present in 
ports and packages. So an additional file, 
/etc/rc.local iS executed at boot time 
and may contain command lines of your 
choice. For example, if | had installed the 
dovecot imap server and wanted it to be 
started automatically at next boot, | would 
simply add the following to 


(ete/rex local: 

if test -x /usr/local/sbin/dovecot; 

then 
/usr/local/sbin/dovecot; echo -n ' 

imapd’ ; 


fi 


Other rc files exist, Such OS /etc/ 
rc.shutdown ON /etc/rc.securelevel but 
| doubt they deserve much more explana- 
tions. 


Tweaking the kernel settings 

There are some kemel settings which you 
can change from userland without having 
to rebuild a kernel. Amongst these settings, 
the ability to forward packets (required if 
you plan to use your OpenBSD computer 
as a gateway) or even Linux and FreeBSD 
binary emulation if you plan to run an 
application for which you do not have 
source code and which does not exist for 
OpenBSD. 

These knobs can be listed and altered 
with the sysctl COmmand; however the 
changes are not persistent between re- 
boots. The file /etc/sysctl.conf iS @ good 
place to save these changes. 


Password files 

OpenBsD does not use a text file to store 
user accounts and passwords. It uses a 
database out of which the /etc/passwd 
and /etc/master.passwd are generated. 
This means that any changes to /etc/ 
passwd OF /etc/master.passwd Will not be 
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taken into account and will be overwritten 
next time the files are regenerated from 
the database. Changes to accounts must 
be done through the several utilities that 
manipulates the database itself. A notable 
exception iS /etc/group which can be ed- 
ited by hand, though using utilities is still 
smarter and less error prone. 


Learning more 

This article was just to get you started and 
running by holding your hand for the first 
few minutes. The next step for you is to 
start reading from the projects FAQ and 
man pages to get more familiar with the 
tools and how they work. 

Our community is active and you 
should be able to find help on almost 
any topic through the official website, the 
misc@openbsd.org mailing list, or even 
through the wwwundeadlyorg website 
which often posts worthy information 
about new tools that can make your life 
easier. 

One thing to note is that the OpenBSD 
community does not attempt to bring 
users at all costs and people tend to 
be direct and unfriendly when faced to 
anyone who begs for help without doing 
the slightest effort to find a solution by 
himself. When someone asks for help, it 
is expected that he did his best to find 
a solution, describe the problem clearly 
with logs and error messages that will 
help others understand, list what was 
attempted to solve the issue and where 
you are stuck. Not doing so is very likely 
to make people yell at you because being 
lazy saves your time but wastes the time 
of others which is considered by many as 
a rude and impolite behavior. 

| hope you enjoyed reading this article 
and you will enjoy using OpenBSDas 
much as | do! 
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get started 


You ve installed It. 


Now what? Packages! 


Peter N. M. Hansteen 


A freshly installed machine nice, but it's when you start using the package tools that 
the real visitas open. Read on for a kickstart on packages. 


nstalling OpenBSD is easy, and takes you maybe 20 

minutes. Most articles and guides you find out there will 

urge you to take a look at the files in /etc/ and explore the 

man pages to make the system do what you want. With a 
modern BSD, the base system is full featured enough that you 
can in fact get a lot done right away just by editing the relevant 
files and perhaps starting or restarting one or more services. If 
all you want to do is set up something like a gateway for your 
network with basic-to-advanced packet filtering, everything you 
need is already there in the basic install. 

Then again, all the world is not a firewall, and it is likely 
you will want to use, for example, a web browser other than 
the venerable lynx or editing tools that are not vi or mg. That's 
where packages and package systems come in. | will skip a 
little ahead of myself and make a confession: The machine | 
am writing this piece on reports that it has some 260 packages 
installed. 

Before we move on to the guts of this article, some ceremonial 
words of advice: If you are new to OpenBSD or it is your first time in 
a while on a freshly installed system, you could do a lot worse than 
spending a few minutes reading man afterboot. That man page 
serves as a handy checklist of things you should at least take a 
peek at to ensure that your system is in good working order. 

Some packages will write important information, such as 
strings or stanzas to put in your rc.conf.local, rc.local Or 
sysctl.conf files, to your terminal. If you are not totally confi- 
dent what to do after the package install finishes, it may be a 
good idea to run your ports and packages installs in a script 
session. See man script for details. 


When dinosaurs roamed the Earth... 

The story of the ports and packages goes back to the early days 
of free software when we finally found ourselves with complete 
operating systems that were free and hackerssHHH HHH 


system administrators found that even with full featured operating 
systems such as the BSDs, there were sometimes things you 
would want to do that was not already in there. The way to get 
that something else was usually to fetch the source code, see if 
it would compile, make some changes (or a lot) to make it com- 
pile, possibly introduce the odd #ifder block and keep at it until 
the software would compile, install and run. In the process you 
most likely found out what, if any, other software (tools or libraries) 
needed to be installed to complete the process. At that point, you 
could claim to have /portea/ the software to your platform. If you 
had been careful and saved a copy of the original source files 
somewhere, you could use the diff utility to create a patch you 
could then send to the program maintainer and hope that he or 
she would then incorporate your changes in the next release. 

But then, why wait for the next release? Why not share those 
diffs with others? How about putting it into a CVS repository that 
would be available to everyone? That idea was tossed around 
on relevant mailing lists for a while, and the first version of the 
/ports system/ appeared in FreeBSD 1.0 in December 1993. 

The other BSD systems adopted the basic idea and frame- 
work soon after with small variations. On NetBSD, the term 
'port' was already in use for ports of the operating system it- 
self to specific hardware platforms, so on that operating system, 
the ports tree is referred to as "package source’, OF /pkgsrc/ for 
short. The ports and packages tools are still actively maintained 
and developed on all BSDs, and most notably Marc Espie re- 
wrote the pkg * tools for OpenBSD’s 3.5 release. 

Parallel develooment has lead to some differences in the 
package handling on the various BSDs, and some of the opera- 
tions | describe here from an OpenBSD perspective may not be 
identical on other operating systems. Around the same time the 
BSDs started including a ports tree and packages, people on 
the Linux side of the fence started developing package systems 
too. With distributed development taken to the point where the 
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kernel, basic system tools and libraries 
are maintained separately, perhaps the 
need there was even greater than on 
the BSDs. In fact, some Linux distribu- 
tions such as the Debian based ones 
have taken the package management to 
the point where everything is a package 
- every component on a running system 
is a package that is maintained via the 
package system, including basic system 
tools, libraries and the operating system 
kernel. In contrast, the BSDs tend to treat 
the base system as a whole, with the 
package management tools intended 
solely for managing software that does 
not come as a part of the default install. 


The anatomy 

of ports and packages 

The ports system consists of a set of ’reci- 
pes’ to build third party software to run on 
your system. Each port supplies its own 
Makefile, whatever patches are needed 
in order to make the software build and 
optionally package message files with 
information that will be displayed when 
the software has been installed. 

So to build and install a piece of 
software using the ports system, you 
follow a slightly different procedure than 
the classical fetch - patch - compile cycle. 
You will need to install the ports tree, either 
by unpacking ports.tar.gz from your 
CD set or by checking out an updated 
version via cvs, or for that matter cvsup 
or the rewritten version called csup. With a 
populated ports tree in hand, you can go 
to the port's directory, say 


S cd -/Usr/ports/orinc ly 
to see about installing lyx, the popular latex 


front end. On a typical OpenBSD system, 
that directory contains the following files: 


Sie = 

total 8 

-rw-rw-r-- 1 root wheel 1825 May 
18 21:57 Makefile 

-rw-rw-r-- 1 root wheel 274 Apr 
SS 2007 Cie cairo 

drwxrwxr-x 2 root wheel 512 Nov 
1 2007 patches 

drwxrwxr-x 2 root wheel 512 Nov 


1 2007 pkg 


here, the Makefile is the main player. If 
you open it now in a text editor or viewer 
such as less, you will see that the syntax 


is quite straightforward. What it does is 
mainly to define a number of variables 
such as the package name, where to 
fetch the necessary source files, which 
programs are required for the compile to 
succeed and which libraries the resulting 
program will need to have present in 
order to run correctly. 

The file defines a few other variables 
too, and you can look up the exact mean- 
ing of each in the man pages, starting with 
man ports and man bsd.portmk. With all 
relevant variables set, at the very end the 
file uses the line: 


-include <bsd.port.mk> 


to pull in the common infrastructure it 
shares with all other ports. 

This is what makes the common tar 
gets work, so for example, typing: 


S make install SUDO=sudo 


(probably the most common port-related 
make command for end users and 
administrators) in the port directory will 
start the process to install the software. 
But before you type that command and 
press Enter, you may want to consider 
this: This command will generate a lot 
of output, most likely more than will fit in 
the terminal's buffer. If the build fails, it is 
likely that the message about the first 
thing that went wrong will have scrolled 
off the top of your screen and out of the 
terminal buffer For that reason, it is good 
sysadmin practice to create a record of 
lengthy operations such as building a 
port by using the script command. Typing 
script in a shell will give you a subshell 
where everything displayed on the screen 
will be saved in a file. Escape sequences, 
asterisk-style progress bars and _ twirling 
batons will end up a bit garbled, but that 
essential message you are looking for will 
be there too. man script will give you the 
details, and unless you are an incurable 
packrat, do remember to delete the 
typescript file afterwards. That process 
will start with checking dependencies, go 
on with downloading the source archive 
and checking that the fetched file matches 
the cryptographic signatures stored in the 
distinfo file. If the signatures match, the 
source code is extracted to a working 
directory, the patches from the patches/ 
directory are applied, and the compilation 
Starts. If the dependency check finds that 
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one or more pieces are missing, you will 
see that the process fetches, configures 
and installs the required package before 
continuing with the build process for the 
original package. 

After a while, the package build 

most likely succeeds and the _ install 
completes. At this point you will have a 
new piece of software installed on your 
system. You should be able to run the 
program, and the installed package will 
turn up in the package listings output by 
pkg_info, Such as: 
© pkg info | grep lyx 
byx=1.4,3p2-9gCc graphical frontend 
for LaTeX (nearly WYSIWYG) 
This information is taken from the pack- 
age’s subdirectory in /var/db/pkg, where 
the information about currently installed 
packages is stored. 

If you paid close attention during the 
make install process, you may have no- 
ticed that the install step was performed 
from a binary package. This is one of 
the distinctive features of the OpenBSD 
version of the package system. The pack- 
age build always generates an installable 
package based on d 'fake' install to a 
private directory, and software is always 
installed on the target system from a 
package. 


But you do not need to do that! 
This means several things. If you have 
built and installed a package by typing 
'make install' in the relevant ports direc- 
tory and later run the 'make deinstall' 
Or pkg_delete to remove the software, any 
Subsequent install of the software will take 
place from the package file stored in a 
subdirectory Of /usr/ports/packages. But 
more importantly, in most cases you can 
keep your system’s packages up to date 
without a ports tree on the machine. (See 
Note [1]) For each release, a full set of 
packages is built and made available on 
the OpenBSD mirrors, and by the time 
you read this, there is reason to hope that 
running updates to -stable packages will 
be available for supported releases too. 

The way to make good use of this is 
to set the pxc pats variable to include the 
packages directory for your release on 
one or more mirrors close to you and/or a 
local directory, and then run pkg _ ada with 
the -u flag. (See Note [2]) 
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My laptop runs -current and | am in 
Europe, so the PKG_PATH is set to 


PKG PATH=ftp://ftp.eu.openbsd.org/pub/ 
OpenBSD/snapshots/packages/ “machine 
-a>/ 


On a more conservatively run system, you 
may want to set it to something like 


PKG PATH=ftp://ftp.eu.openbsd.org/pub/ 
OpenBSD/4.3/packages/*machine -a’/ 


Once your PKG_PATH is set to something 
sensible, you can use pkg add and the 
package base name to install packages, 
So a simple 


$ sudo pkg add lyx 


would achieve the same thing as the 
'make install' Command earlier, and 
most likely a lot faster too. Once you have 
a set of packages installed, and keeping 
in mind that you need a meaningful exc _ 
PATH, you can keep them up to date using 
pkg_add -u. If you want more detailed 
information about the package update 
process and want pkg_add to switch to in- 
teractive mode when necessary, you can 
use something like this command: 


$ sudo pkg add -vui 


| have at times tended to run my pkg add 
-u with some of the -F flags in order to 
force resolution of certain types of conflict, 
but given the quality of the work that goes 
into the packages, most of the -F options 
are rarely needed. 

pkg_add and its siblings in the pkg * 
tools collection has a number of options 
we have not covered here, all intended 
to make your package management on 
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OpenBSD as comfortable and flexible as 
possible. The tools come with readable 
man pages, and may very well be the 
topic of future BSD Magazine articles. 


More information on the net 

The main source of information about the 
OpenBSD ports and packages system is 
to be found on the OpenBSD project's 
web site. The FAQ’s ports and packages 
section at _ htto:/wwwopenbsd.org/ 
fag/faqi5.htm! has more _ information 
about all the issues covered in this 
article, and goes into somewhat more 
detail than space allows here. If you 
encounter problems while installing or 
managing your packages, it is more 
than likely that you will find a solution or 
a good explanation there. And of course, 
if nothing else works or you can't figure it 
out, there is always the option of asking 
the good people at misc@openbsd.org 
or ports@openbsd.org or search the 
corresponding mailing list archives. 


How do | make a package then? 

That is a large question, and the first 
question you should ask if you think you 
want to port a particular piece of software 
is, Has this already been ported?. There 
are several ways to check. If you are 
thinking of creating a port, you most likely 
already have the ports tree installed, so 
using the ports infrastructure’s search 
infrastructure is the obvious first step. 
Simply go to the /usr/ports directory 
and run the command: 


S make search key=mykeyword 


Where mykeyword is a program name or 
keyword related to the software you are 
looking for One other option with even 
more flexible search possibilities is to 


[1] The main exceptions to the rule that precompiled packages are available from the 


mirrors are software with licenses that do not allow redistribution or require the end 


user to do specific things such as go to a web site and click a specific button to for- 


mally accept a set of conditions. In those cases it cant’ be helped, and you will need 


to go via the ports system to create a package locally and install that. 


[2] If you want to find out what packages are available at your favorite mirror, you can get 


a listing of package names by fetching the file sPKG_PATH/index.txt. The OpenBSD web 


site offers a listing of available packages with short descriptions, too. For OpenBSD 4.3, the 


listing is available from http:/~vww.openbsd.org/4.3_packages/, from there you click on the 


link for your platform 


BSD 2/2008 


install databases/sqlports. And of course, 
searching the ports mailing list archives 
(htto://marc.info/?I=openbsd-ports) or 
asking the mailing list works too. 

When you have determined that the 
software you want to port is not already 
available as a package, you can go on to 
prepare for the porting effort. Porting and 
package making is the subject of much 
usenet folklore and rumor, but in addition 
you have several man pages with specific 
information on how to proceed. These 
are, ports, package, packages, packages- 
specs, library-Specs and bsd.port.mk. 

Read those and use your familiarity 
with the code you are about to port to 
find your way. The OpenBSD web offers 
a quite a bit of information too. You could 
start with re-reading the main ports and 
packages page at hitp://www.openbsa.org/ 
fag/faq15.html, and follow up with the 
pages about the porting process at http: 
//www.openbsdorg/porting.html, testing the 
port at http://www.openbsd.org/porttesthtml 
and finally the checklist for a sound port at 
htto://www.openbsdorg/checklisthtml. 

All the while, try first to figure out the 
solution to any problems that pop up, 
read the supplied documentation, and 
only then ask port maintainers via the 
ports mailing list for help. Port maintainers 
are generally quite busy, but if you show 
signs of having done your homework first, 
there is no better resource available for 
helping you succeed in your porting or 
port maintenance efforts. 

One fine resource for the aspiring 
porter is Bemd Ahlers’ ports tutorial from 
OpenCon 2007 you can look up Bemd’s 
slides at htto://wwwopenbsd.org/papers/ 
openconO 7-portstutorial/index.html, and_ it 
is possible he can be persuaded to repeat 
the tutorial at a conference near you. 
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Gilles Chehade 


Amongst the many goals of OpenBSD, there is one which is important enough that it 
is listed in the first position of the goals page: "Provide the best development platform 


possible." 


his is a goal that works hand in hand with the hard 
focus on code quality. If the system provides good 
tools and documentation for the developers, then 
they will be more likely to contribute good code. 
Looking at the tech@ mailing list shows this behaviour 
with thousands of diffs being called incomplete for not 
providing the associated documentation, or being asked for 
changes if they are not doing things the appropriate way. 
Undocumented code does not get in and bad code does 
not get in either. 
As a direct result, OpenBSD has become an amazing 
development platform: 


Functions are documented through complete man 
pages which often show some examples of correct and 
incorrect uses when it is easy to do things wrong and 
misuse an API. For example, the realloc () function is 
often used in a way that leads to qa memory leak and 
the man page reflects this with a short explanation. It 
is common that people who are not writing code for 
OpenBSD still use its man pages rather than the ones 
provided by the system which they write code for ( 
know that myself and many other OpenBSD-oers do 

All of the source code is available and it can be 
used as a reference for many different projects and 
algorithms. This can also be said of other open source 
systems, but the strong position adopted on what code 
gets in makes it safer to assume that an example is 
correct. If the code went in, it means that at some point 
many people decided it was correct. Errors do happen 
sometimes as no system is bug free, but they are less 
likely 

As a means to improve code correctness, some 
features were implemented for OpenBSD which benefit 


all developments. For example, malloc () had changed to 
rely ON mmap() and while at it enforced a strict releasing 
so that the assumptions that a memory chunk is still 
usable after being freed would no longer remain valid. 
The result was that applications that did a poor job at 
managing their memory would crash (way) more often 
and help people spot the bugs and fix them rather than 
leave them around. This produces a higher quality code 
and more robust applications as people who want their 
code to be portable to OpenBSD will eventually find out 
their memory related bugs as they port. 


In this article | will give an overview of how you can make use 
of OpenBSD for both a development server and workstation. 
Obviously, it cannot be complete and | cannot go through all 
the different setups for all the different needs, this is just a way 
to introduce you to OpenBSD as a development platform, and 
make you familiar with some of the tools that can get you 
started. So... Here is my own setup ! 


Development Station 

My workstation is just a plain setup with all of the tools | 
need to write, compile, debug and commit code to a remote 
server. Since | often work with other people and they do not 
necessarily use the same tools as | do, | tend to install popular 
tools so that they can grab a terminal and work without being 
annoyed by my own environment. 


Text editors 

By default, OpenBSD provides nvi, a vi variant, and mg, an 
emacs-like editor without all the kludge and written in C. Both 
can be used to write code and are actually used by many 
developers out there, however they are limited by design and 
will not provide some of the features many hackers expect 
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from a text editor used for programming, 
like syntax highlighting for instance. 

While writing this article, | went polling 
around and it tums out that the first tool 
many developers install is a feature- 
rich text editor with support for syntax 
highlighting and programming modes. 

The two most popular editors cited 
were vim Gnd emacs. 

Both of which are available as 
OpenBSD packages: 


S export PKG PATH=ftp://insert.your/ 


favorite/ftp/mirror/here/ 


S sudo pkg add vim 
S sudo pkg add emacs 


Since | use emacs for coding, here is a 
configuration file that im willing to share 
and which helps writing readable KnF 
style code: 


http://www.poolp.org/~gilles/emacs/ 


Code browser 
Another useful utility is Cscope, a tool 
which helps developers browse code 
and search for references to symbols, 
definitions, declarations and quite a lot 
more. This is a very handy tool which 
makes it easy to browse through a 
large amount of code and eases the 
understanding of how things work in 
code you are not too familiar with. 
Luckily, Cscope is also available as a 
package: 


S export PKG PATH= 
Pips //insert.your/favorite/ fto/ mirror 
here/ 


S$ sudo pkg add cscope 


Vim and Emacs both are both able 
to work with Cscope, and ease the 
browsing without having to leave the 
editor. | prefer to use cscope and to 
have it start my favorite editor through the 
EDITOR environment variable. 


S export EDITOR=emacs 


S cscope 


Once you get hooked up, you will find it 
hard to stop using it. 


Compilers 
The system ships with compilers and 
interpreters for various languages. The 


C compilers include the well-known 
GCC (Gnu CC) with local extensions 
which aim at improving security and 
easing error detection in code at 
compile and run time. It also includes 
the PCC compiler that was recently 
imported and can already be used to 
build most of the OpenBSD userland. 

PCC works fine but is still a work 
in progress and as such is not the 
compiler by default, however it is often 
a good idea to use it aside and make 
sure that the code that compiles under 
GCC does not contain and spread 
GCC-isms. 

More compilers, including more 
recent versions of GCC are packaged 
but | do recommand you to use the 
versions that ship with the system 
unless you have a very specific need 
that cannot be fullfilled with these. 
Considering that a_ full operating 
system including kernel, userland and 
ports works with the default compilers, 
attempts at explaining why one NEEDS 
the latest GCC is a usual source of fun 
and excitement. 


Listing 1. Obtaining the anoncvs shell archive 
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Debuggers 

True hackers code bug-free to save time. 
However, true human beings fail to think 
of all the implications of slight changes 
to code, just as they can not write code 
for hours and hours and hours without 
introducing slight errors, just as coding 
at night increases the risks of typos, 
wrong arithmetics and interesting logic. 
OpenBSD ships with two debuggers, the 
full blown gdb for the hackers that need 
plenty of features and the simple pmab if 
the bloat of gab needs to be avoided. 

To be honest, my use of pmdb was 
rather limited, and it is my understanding 
that it is usually used to debug kemels at 
an early stage of development for new 
architectures. However, it is interesting 
to know that there is a simple debugger 
and hopefully it can bring more people 
to improve it. 


Versioning 

OpenBSD comes with cvs which is the 
versioning tool used by developers of the 
project. Despite a lot of criticism from 
Supporters of alternative version control 


S lynx http://www.poolp.org/mirrors/OpenBSD/anoncvs.shar 


Then 


MK Gisamrcin@ Meats 


iv samomews Siar anenews 


aUpe Up 30 


Cd Anoneve) >; sh anoncve- caiar 


x - Makefile 


<> README 


x = anonevssh vc 


Listing 2. Building the anoncvs shell 


SxEbaCh 1h il Mts “Own Glirecrory.: 


-#CVSROOT=anoncvs@anoncvs1.usa.openbsd.org:/cvs 


+CVSROOT=anoncvs@cvs.poolp.org:/cvs 


-BINDIR=/open 


+BINDIR=/usr/local/bin 


Ones this 1s done, 


S make 
CO SOV) Sere -—o enoncyvssi.© 
ee -O anoncvssh anoncvssh.o 


Sy sco make: dnote i) 


sbolsnee IS G5) 6) deters, “Se, loulial 


S 


VOuUMCan) Simply. Make 7 


then make anstall = 


=m 40) ameonevssh /usr, local, bin/anoncevssi 
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systems, cvs does quite a good job and 
encourages communication between 
hackers. 

If you really feel the need to install 
another versionning utility, there is a few 
available as packages, including the 
widely used subversion: 


$ export PKG PATH=ftp://insert.your/ 
favorite/ftp/mirror/here/ 


$ sudo pkg add subversion 


The OpenBSD project has been using 
CVS for over 10 years and it has proven 
to work, which is why there is not really 
any interest in using alternatives. There 
is an Ongoing project to provide a more 
sane CVS implementation, OpenCVvs, 
which plans on providing compatibility 
with GNU CVS in a first release. OoenCVS 
will then work on providing new features 
that do not break compatibility and that 


Listing 3. Setup the chroot environment: 


Sy strc lo 


S Geis lene! wiley ayo ves 2 2 


S (cd var && sudo dn =s 


S$ sudo chmod a+rwx tmp 


S Sudo mkdir Wer (ham, il) 
S sudo ep —/llcr/bim/cys usm) loam / 
S$ sudo mkdir usr/libexec 


8 Sticle 


ChEeOk ak tien vdenritecal location, 


1.e: 


Sv lideiy/ usu balnews 
jier/ bin eve: 

End 
00000000 
2a202000 
28248000 
2ca0b000 
28706000 
2£368000 
2a768000 
09377000 


Deare 

00000000 
Oalfa000 
08243000 
evr b00U 
086da7000 
0£363000 
0a734000 
09377000 


exe 

igilauls) 
igikalle) 
igilatle) 
ie Lal) 
ie Paille) 
ig iba) 


Se “Sete oto Se 
PrP PP BP BP RP oO 


wie lel 


S sudo mkdir bin dev tmp usr var etc 


Gp /bim/ (can, pwd, rm, sh} balm 


S$ sudo chmod 666 dev/null 
S sudo cp /etc/{gqroup, hosts, passwd, proLtocols}) ere/ 
S sudo cp /etc/ {pwd.db,resoly.cont, services, trys) 


Jello: Vee) 


cp /usr/libexec/ld.so usr/libexec/ 


Pingwiv, copy all=or Ene ioracves that 


Cp /usr/itb/lib2.so.4. 1 usr/lib] Mibzsso.4. i 


Type Open Ref GrpRef Name 


improve developer experience at the 
same time. 


Source tree 

Wether you plan to work on OpenBSD 
related code or not, it is always a good 
idea to have a checkout of the system’s 
source tree at hand. 

When you do not know or have 
a doubt about how a_ programming 
interface works, you can bet a piece of 
code provides a clear and functionnal 
example of use. 

Since you are free to reuse the code 
and modify it, you can even prevent 
having to roll a new version of something 
that already exists and save yourself time 
and bug tracking efforts. 


S$ cd /usr 
S$ sudo cvs -d anoncvs@your.local.mirr 


Ors/eves co =P sire 


etc/ 


“cvs'' depends on inside the 


Jusr/ bin evs 

(etrsie/ else Milievsan stoi il 

jus) Ini) lnibgssaca. so. 5.0 
fuse) Mi lhibkre >. se, 6.0 
just) Ii liber ypro so. ibs 0 
(usr lib] libdesso.920 
fuse) lab inibe.so.4 5.0 
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Using Cscope can tum this copy of the 
source tree into a large library of code 
samples and examples. Definitely a good 
tool. 


Development Server 

A development server can do many things, 
and has a different meaning depending 
on who sets it up. My development server 
provides the following: 


A repository shared between a group 
of coders with read-write privileges. 
Anonymous read-only access to that 
same repository. 

CVS log notifications through mail. 


Since it is a bit trickier to setup than a few 
pkg_add, | will explain how you can achieve 
the same result: 


Setting up CVS 

OpenBSD has_ a_§ shell archive, 
anoncvs.shar, which is available directly 
from one of the mirrors and which 
provides all we need to setup a CVS 
repository that can be written to by 
coders and read by anonymous users. 

You can start by downloading the 
archive: see Listing 1. 

anoncvssh.c, when built, is a special 
shell that is really a wrapper to the cvs 
utility. All it does is setup the environement 
for read-only access and execute cvs. 

First, edit the Makefile to change the 
following lines as suits you. To increase 
readability, | prepended removed line 
with -, and added lines with + see 
Listing 2. 

Now, it would be too easy if that was 
it. The README file explains all of the 
steps to create the chroot jail, and to 
populate it with a mirror. We will follow 
the steps but ignore mirror stuff so that 
we simply have an empty repository 
inside the chroot jail. 

| like my repositories to be accessed 
at /cvs, SO we will simply create the 
base directory and initialize a repository 
named ‘cvs’ inside of it. When a user 
executes anoncvssh, he will be chrooted 
to the base directory and the repository 
can then be referenced dS /cvs. 


§ sudo mkdir /var/cvs 
Then, create the anoncvs account by 


adding the following line to the passwd 
database, using the command vipw: 


$ sudo vipw 
Copy/paste the line: 


Nanoncvs: £32 /766732766::0:0:Anonymous 
CVS User:/var/cvs:/usr/local/bin/ 


anoncvssh" 


You may need to tweak your SSH 
configuration to PermitEmptyPasswords 
or else all attempts to log in as anoncvs 
will fail. 

Now that the account is set, you need 
to setup the chroot environment. While 
this may look tricky it is quite simple 
when you understand what you're doing 
and you can always use the README as 
a reminder. Create base directory: 


S§ cd /var/cvs 


Create a few files for the anoncvs account, 
you may want to edit . profile GNd .plan tO 
display proper information: 

S$ sudo touch .hushlogin .profile .plan 
Setup the chroot environment: see Listing 
3. 

Once this is done, edit /etc/fstab to 
make sure the /var filesystem doesnt 
have the nodev option or else things 
wont work too good when attempting 
any operation on dev/null. If it was nodev, 
remove the option and... reboot. 

What do we do from now ? Well, we 
have just created the environment to host 
the anonymous access but we still do not 
have a repository initialized ! 


S cd /var/cvs 


S sudo. cvs. -d /var/cvs/cvs init 


This is not a typo, our base directory 
is /var/cvs, and the repository uses 
cvs as its name. When accessing 


the repository using the anonymous 
account, the CVSROOT will look like 
this: 


anoncvst(cvs.poolp.org:/cvs 


It is a bit annoying because if you're 
not connecting aS anoncvs and you 
do have read/write access, you will not 
execute the anoncvssh shell which will 
not chroot you and your CVSROOT will 
look like this: 


anonevstcvs -poolp,.org:/var/cvs/cyvs 
The fix is trivial .. 


S cd / 


S sudo In =—s /var/cvs/cvs /cvs 
Voila, CVS repository is setup. 


Setting up the accounts 

At this point, we have a CVS that’s 
installed with a repository that can 
be accessed read-only by the user 
anoncvs, but this is quite useless 
without a real user with write access to 
the repository. 

How you create developers accounts 
is up to you, and there are as many 
ways to deal with this as there are 
administrators with creative ideas. | like 
to keep things simple so | make use of 
groups and permissions. 

First, | create a group called coders: 


S$ sudo groupadd coders 

Then | make myself part of the group: 

S$ sudo usermod -G coders gilles 

Finally, | change permissions and group 


ownership on the repository we have 
created earlier so that members of the 


Listing 4. Creating the mailing list 


oS sudo mcdir 7 ere, mais lacie s,/ 
S sudo sh 


# echo 
# echo "anoncvs: 
# newaliases 
/etc/mail/aliases: 47 aliases, 
# exit 


$ 


longest 52 bytes, 


Gilles” > /ete/mail/lists/anonevs 
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714 bytes total 
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group coders can create modules in the 
repository. 


S sudo chgrp -R coders /var/cvs/cvs 


© sudo chmod 775 coders /var/cvs/cvs 


Whenever we need to add a new 
developer, we can simply add her to 
coders, then she'll be able to commit 
to any module inside the repository. 
Also, we can restrict commit to specific 
modules by creating a group specific 
to the module, make the module group- 
writable for the new group and making 
the new developer part of that group 
instead of coders. 


Mail notifications 
When working with other developers, 
it is nice to be notified by mail when a 
change is made to the tree. This can be 
setup in a matter of minutes and only 
requires the setting up of an alias for 
sendmail and a one liner to a file in /cvs/ 
cvsroot. See Listing 4. 

Sending mail to anoncvs will now send 
mail to everyone listed in the /etc/mail/ 
lists/anoncvs file. Adding new people will 
only require us to execute newaliases SO 
that the database is rebuilt. 

Now, we need to tell CVS that it has to 
send mail to anoncvs whenever a commit 
is done to the repository. This is done by 
adding the line: 

DEFAULT echo %{sVv}; 


(echo ""; cat) 


| Mail == "CVS? cvs.poolp.crg* anoncvs 
To the file /cvs/cVSROOT/loginfo. You can 
actually do notifications that are more 
precise and that apply to certain modules 
and directories, but | will let you read the 
header of the loginfo file which explains 
how this works. 

There are many other things you 
could do depending on your need and 
with more or less effort. Many tools 
are available to browse through a web 
interface, create graphs and statistics, 
or create snapshots. The loginfo file 
could even be used to implement some 
kind of continuous integration bot, it is 
all about your needs and the ideas you 
come up with to solve your problems ;) 
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Machtelt Garrels 


This article is not about just any BSD certification. We will discuss the certification that 
is being developed by the BSD Certification Group Advisory Board. 


he Advisory Board and the rest of the group consists 
of people who are actively involved in the different 
BSD projects (DragonFly BSD, FreeBSD, NetBSD and 
OpenBSD) —- many of them are key figures in their 
communities and help develop their systems. The BSDCG 
is working with Subject Matter Experts (SMEs) and a psy- 


chometrician to ensure that both the question items and the - 
testing method are a fair and unbiased assessment of the - 


candidate’s abilities. 
Why is it important to have a *BSD certification? 


We need to break the myth that says that *BSD is offering - 


no support. 
We need to ease and fasten adoption of BSD in business 


world: match companies that are using or that want to - 


use “BSD with people who are up to the task of manag- 
ing gd BSD environment. There is a chicken and egg prob- 
lem: people think that there is no support, so the business 
world does not like BSD, so there is no interest in Support- 
ing BSD. 

There is a need for (standard) objectives for training cen- 
ters, course developers and publishers. A (standard) certifi- 
cation encourages development of course materials. 
Companies need help when hiring BSD people. To put it 
blunt, we need to point out for them which words to do a 
keyword search on in a CV. 

We need a revaluation of IT professionals: after the boom 
of the nineties, we now get the lash-back of the phenom- 
enon where everybody went into IT without really knowing 
what they were doing. Now, IT environments are running 
slow and are badly managed, because most IT profes- 
sionals are not up to the job. As a result, they are always 
busy and as a result of their busy schedule, they do not 
want to change, update or migrate to better solutions. 


Note 
We call it ~*BSD because we do not test any specific BSD distri- 
bution. *BSD includes all distributions of the BSD family. 

There are some problems with traditional certifications that 
we do not want for our *BSD certification: 


Certifications are made to sell software. 

Certifications are accompanied by official course materi- 
als that examinees more or less are forced to buy. There is 
no free documentation, it is not freely distributable and not 
easy to find. 

Certifications, like software, expire in order to sell upgrades. 
Knowledge of tools is tested instead of knowledge of 
techniques. 

There is no input from examinees. 


Value of a 

certification for employers 

Some reports, trivially from Microsoft but also from members of 
more or less independent analyzing businesses, like for instance 
IDC, point out that employees for a UNIX-like environment on the 
average cost 30% more than normal employees. Hence they 
jump to the conclusion that the total cost of ownership of such 
an environment, which can be equipped for instance with freely 
available BSD software on PC hardware, is more expensive, 
even though it is cheaper in almost every other respect. 


Note 

BSD is part of the UNIX family, a collection of robust operating 

systems that where originally designed for big environments. 

Since many names of family members end in -NIX, they are 

sometimes called *NIX to refer to all UNICES together. 
However, these reports fail to mention (on purpose?) that 

“NIX professionals have a much wider knowledge, while e.g. 


BSD 2/2008 


Microsoft professionals tend to be niche 
specialists — and that you need only 1/3 
of the people normally required to main- 
tain a Microsoft environment, when you 
have a free *NIX environment. 

Employers tend to forget that finding 
adequate personnel, not so much as 


costs, is the real problem. Somebody - 


who knows how to do the job, somebody 
who can start on the job right away, rath- 
er than going through a learning period, 
is to be preferred by far above someone 
who has to leam on-the-job. 

Without wanting to be an evil 
gossip aunt, whom would you prefer: 
the freshman (or worse, the would- 
be graduate who quit college) who 
installed Linux at home and who has 
learned everything on his/her own, or 
the veteran who has enough practical 
experience to get a certificate? 

The problem with certificates, of 
course, is that there is no consensus. 
Which certificate proves that a candidate 
has a professional *NIX experience? 

Remember not to always believe the 
hype. For instance, bsdcertification.ccom 
comes to mind. From their name, it is obvi- 
ous enough that this is a commercial orga- 
nization, and not a community-driven one. 

Their last press relea 
2006, testing is fo 


tell from the we ganization is 
dead. 

Even though we have to deal with the 
little details, a BSD certification remains 
a good investment if you do not know yet 


what additional bonus you can offer your 


employees. 
All BSD systems are focused on 
evolution, contrary to for instance 


Microsoft, which is based on revolution. 
BSD/UNIX competence hardly becomes 
outdated: you can build on it and what 
you learned in the past will still be 
valuable in ten years time from now. 

Knowledge acquired is notinvalidated 
because of new things that you have to 
learn now in order to survive in today’s 
IT world. Exams become exponentially 
more difficult and standards are raised, 
guaranteeing that fiascoes like the one 
with the MCSE certification can not 
occur in our world. 

Other reasons to prefer a BSD 
certification over a traditional one: 


It is relatively cheap. 

It is rather difficult, a good test for 
the candidate’s experience: there are 
not only multiple-choice questions, 
but also multiple answer questions, 
which make it nearly impossible to 
pass without experience. 

BSDCG values community — input 
and candidates can provide new 
questions or new objectives through 
regular update requests. The next 
update round is currently scheduled 
for the last quarter of 2008. 

BSDCG is vendor-independent, so 
there is a large item pool of exam 
questions and a high variation in 
questions. This has a positive effect 
on the level of difficulty of the exams. 


Some people say that itis a disadvantages 
not to have a practical test. BUT: 


Time is limited. 
Practical tests require expensive 
infrastructure and the extra c 
would be charged to ca 
taking the exam. 


iowards performance based learning 
instead: learn students how to use 
their experience instead of learning 
them how to use their memory. 


Pros and cons for employees 

The most important reason for certification 
remains of course that you will acquire an 
extra asset when compared to that other 
applicant for your dream job. Especially 
when you just finished school or univer- 
sity, a certificate is a nice addition to your 
education. But lets be honest, among the 
working crowd in the BSd world, who re- 
ally needs a certificate? BSD people know 
what they know and they do not need to 
prove anything to anybody, do they? 

No serious BSD user or administrator 
has ever needed to provide prove of what 
he or she knows. Once you have a job 
and experience, the rest follows. 

Another reason to take the exam, 
which is becoming more fashionable as 
we speak, is that your employer asks you 
to get the certificate. That is also one that 
is easy to understand. But if we want to 


www.bsdmag.org 
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find more reasons, things get harder. 
Maybe you could say that you want to get 
a certificate in order to prove your knowl- 
edge, or maybe you want to know for 
yourself where you stand, or you decide 
with a couple of friends to do a contest 
and see who gets the highest score. 

You might also get a certificate 
because you are confident as to what 
the future will bring, or because you want 
to protect your career. If we believe the 
predictions of economic analysts, free 
software is going to expand dramatically 
during the decade to come. We are 
already past the file and print server 
phase, and well into the database or 
Java development platform stage, as 
more and more companies admit to. 

You can probably name some 
cases of adoption right off the top of 
your head. Even the newspape 
telling everybody who g ar 


to be ore incentive to divide 
them into the good and the bad. 

If you are smart, you will make sure 
that when that time comes, you fall into 
the right category and make sure that 
you can show some paper. 

| would have to think really hard to 
come up with more reasons to certify... 
When it comes from your own pocket, 
it is still an investment, however small it 
may be. After the boom of the nineties, 
wages in IT are back to normal or at least 
seriously reduced. 

You will probably want to study a bit, 
too, and that takes time. Time off from 
work, be it with the approval of your boss, 
or you would have to sacrifice your own 
free time. And all that to prove that you 
can do something that you know for 
yourself you are capable of doing... 

And then there is the risk that you 
don't pass, and maybe you will have to 
explain that mishap to your boss, who 
meant so well with you and sponsored 
your exam. 
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One of the less evident disadvantages 
of certification is that you force an upper 
limit onto your own competences. 
Imagine: Another applicant has a master 
level certificate, while you only have an 
entry level certificate because you never 
felt like going further Who will be chosen 
for the job? The candidate who is more 
experienced, or the candidate who has 
more certificates? So once you start on 
a given certification path, you need to go 
through to the highest level that you can 
reach, or you run the risk to ruin your 
chances on the job market. 


Progress report 
The BSDCG did not just come up with 
a bunch of questions. In order to be 
credible, first the needs were analyzed 
with the helo of a professional test 
developer (a psychometrician). She 
made us perform a Job Task Analysis 
(JTA), were we assembled input from 
many people. 

That makes our certification a 
good one: it does not only contain the 
opinions of individual BSDCG Advisory 
Group members, it also has the input of 
thousands of others who expr 
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in English only. During the beta-testing 
period, hundreds of testers with alll 
kinds of competences took the exam. 
The results were then used to make a 
statistically valuable analysis that can 
be used to compare examinees. 

The exam objectives are already 
translated in Mexican Spanish and 
Russian. 

Currently, the BSDCG is focusing on 
the BSD Associate (BSDA) exam, which 
is oriented towards beginning users and 
administrators. Later the BSDCG plans to 
release a BSD Professional (BSDP) exam, 
which will test advanced administration 
skills. The details about this exam will be 
available by the end of 2008. 


In order to bring the exam to the - 


candidate, the BSDCG is developing a 


test platform which consists of a Live - 
CD and a secured environment, lead - 
by one or more of the proctors of our - 


As for the BSD flavors that we check 
for, the exam questions currently deal 
with FreeBSD, NetBSD, OpenBSD and 
DragonFlyBSD. 

When tested, the candidates will 
be asked questions about all types of 
BSD systems, there is no possibility to 
opt for a specific distribution or version. 
As a consequence, we are probing for 
understanding, not for knowledge of 
details and memory capacity. Also, the 
BSDA is not a requirement for the BSDP 

In cooperation with the communities, 
we arrived at the conclusion that test 
objectives can be divided into 7 categories 
with the following weighting: 


Installation and upgrading — the 
operating system and software: 13%. 
Securing the operating system: 11%. 


network. A proctor is somebody who .- 


has signed a Non-Disclosure 
and who leads the 
sure candida reso 


e on a tight budget and do not want to 
waste our money on commercial exam 
centers like Vue or Prometric. Besides, we 
do not want to run our test environment 
on MS Windows. 

Until the test platform is finished, we 
work with paperbased exams forms. 
Apart from anything else, this helps us to 
reduce costs. We are very concerned that 
the certification remains accessible for 
everyone who wants to take the exam. 

Hence the candidates’ contribution 
is really only a small part of the total 
cost to publish an exam. The tests, 
needed for NOCA certification and 
thus for credibility, cost about 35.000 
USD - NOCA being the quality control 
organization for certifications bodies. 
Vue and Prometric, the traditional 
certification bodies, charge +/- 8.000 
USD per exam per language (and 
per version of the same exam!). We 
calculated that the develooment of our 
own test platform would cost about 
15.000 USD. Copyrights and trademark 
registration would be another 4.000 
USD. 
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exam has 100 questions 
vering these subjects. From the web site, 
you can download a command reference 
mapping each of the BSDA commands 
to the four operating systems covered 
by the BSDA. Furthermore, the BSDCG 
conceived a document describing the 
BSDA Certification Requirements, which 
can also be downloaded from the web 
Site. 

In order to gather funds, the BSDCG 
created a courseware DVD _ that 
gathers all the study materials from 
the web site. The collection consists 
of the exam objectives, the command 
reference, an explanation on our quality 
control mechanisms, and software and 
documentation for FreeBSD, OpenBSD, 
NetBSD and DragonFlyBSD. 


Certification standards 
We want our exam to be a quality test. 
Therefore, we apply the rules as defined 
by NOCA, the National Organization for 
Competence Assurance, which defines 
the standards for certification bodies. 
Among other criteria, NOCA 
certification requires that you use 
psychometrics for the analysis and 
quality control of your exams. According 
to the dictionary, psychometrics is the 
Mathematical analysis of psychological 
processes. In other words, psychometrics 


is the science that measures human 
variables: not only knowledge, but also 
practical experience. This science is also 
devoted to the development of tests by 
means of statistics. 

A test is just a tool to measure 
the amount of Knowledge, Skills and 
Abilities (KSAs) that a person has 
in some area. It is often difficult to 
comprehend a quantity of knowledge, 
since it seems to be so abstract. But in 


actuality, any quantity of measurement - 


is just an abstraction. 

For instance, the measurement of 
height in inches, feet or meters appears 
on the surface to be a real and concrete 
measurement. But if you think about it, 
the inch was simply created and defined 
by people. There is no naturally occuring 
inch and there are no natural units of 
measurement at all. One cannot hold an 
inch, and it really is just an abstraction 
that is generally agreed upon. It is this 
general agreement that makes the inch 
a useful measurement tool. It is this 
common frame of reference that makes 
a unit of measurement functional and 
useful. Psychometricians do the same 
with exams: they create a common 


ained in the develooment 
of questions that test human features, 
including those features that indicate 
mastery of a given field of competence. A 
trained psychometrician is the difference 
between a bunch of questions and 
a tool that accurately measures and 


Y 


wf 


Figure 2. Metan 


documents knowledge and experience. 
For the development of their tests, 
psychometricians use scientific methods 
to assure that the exam complies with 
the four rules of a good test: 


The questions are fair no_ trick 
questions, only objective answers are 
possible, brain dumpers and others 
who do not play the game in a fair 
way stand no chance. 

The questions are accurate: they are 
updated regularly, especially in the 
volatile world of IT. 

The questions are clear and the 
wording specific, they can not be 
misinterpreted and all candidates can 
understand them without difficulties. 
The questions allow the test body to 
perform precise measurements of 
the competence of the examinees. 


The psychometrician also uses scientific 
methods to determine the following; 


Scoring proced 


r to pass the 
matter experts assist 


Different versions of a test are 
equal: by means. of statistical 
calculations the exam is compiled. 
New questions are piloted first: 
the answers to those questions 
are not scored until the validity 
of the question has been proved 
statistically, during this test phase 
the statistical information about the 
quality of the item is gathered. 
Planning of the rotation scheme, which 
is important for the security of an 
exam (again a measure against brain 
dumpers). 


While other certifications _ (like 
RedHat and Novell) might also use 
osychometrics (they did not answer our 
questions), given the lower numbers of 
certified examinees, it is unsure whether 


More information 


¢ — http:/www.bsdcertification.org 
¢ Mailinglist: bsdcert@lists.nycbug.org 


www.bsdmag.org 
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the use of psychometrics is useful for 
them. 


Recertification 

Once you get your BSDA, it will not 
expire. BSDP on the other hand is testing 
somewhat more volatile subjects. The 
BSDCG is as yet undecided what the 
recertification scheme will be for this 
certificate. 


Summary 
BSD Associate (BSDA) Certification 
Language: English 

Available: 2008 

Re-certification: 5 years 

Requirements: good knowledge of UNIX, 
at least 1 year of 

experience on BSD systems 

Domains covered: 


sic UNIX Skills 


BSD Professional (BSDP) Certification 

Language: English 

Available: estimated 04/2008 

Re-certification: 5 years 

It is not necessary to be BSDA certified 

as a prerequisite. 

The BSDP certification is for system 

administrators with extensive knowledge 

of UNIX and BSD Systems. Experienced 

system administrators of BSD systems 

can register for the exam directly. 
Registration process: 


Get a BSDCG-ID at http://register. 
bsdcertification.org/register/get-a- 
bsdcg-id 

Choose an exam location 

Pay the fee by credit card or Paypal 
(USD 75, Eur 50). 


eo 


About the Author 


Machtelt Garels is in the Advisory Council of 
the BSD Cert Group. He gives presentations 
about the certification and helps promote 


it, among other at conferences in Berlin, 


Istanbul, Kopenhagen etc. 
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Building an 


filtering proxy 


Rob Somerville 


OpenBSD 


SAMP server with content 


In this article we will build an OpenBSD server from scratch with Squid, Apache, 
MySQL, PHP and Webmin (for remote management) which will allow you to serve 
web pages from your own network and cache the content reaching your browser. 


penBSD is very secure, and while it does not use 

bleeding edge applications, is very stable. As a de- 

fault, OpenBSD has a specially hardened version of 

Apache that runs in a chroot jail. This means if an 
attacker were to compromise the site, they would be unable to 
access anything outside the jail and cause considerable dam- 
age. While this is very good practice, it is down to the systems 
administrator to ensure that security is kept tight by not running 
unwanted daemons, processes or software etc. 


Prerequisites 

OpenBSD runs on many platforms including Intel i886 based pro- 
cessors and AMD 64. As the majority of people will have access 
to the i386 platform, this will be the basis for the server. For the test 
box | am using an AMD Athlon 64 bit PC with a single 15GB SCSI 
hard drive with 256MB of RAM and a single 1IOOMB Ethemet card. 
Obviously the higher specification the better the performance and 
the more flexibility (e.g. to use the server to store backups etc.), 
so your mileage may vary depending on the hardware you have 
available — certainly a larger hard disk and more RAM would not 
be wasted. You will also need a working ADSL or cable connec- 
tion to the internet via an Ethemet router, a blank CDR and a PC 
or laptop with a CD writer and software that is capable of writing 
ISO images to CDROM. Please note that qa USB cable modem 
or a wireless internet connection is not suitable for this install. 
To perform the initial installation you will need a keyboard and 
monitor connected to the host machine, but once the machine is 
configured it is possible to run in in headless mode, that is without 
a keyboard and monitor. 


Preparation 

Preparation is the key to any successful project and we will 
need to perform the following actions to configure our server 
box (Table 1). Table 2 shows the default settings | have used for 


the configuration of the server. You will need to modify these to 
reflect your own internal network and personal requirements. 


Stage 1 — Get network settings 
Before we proceed, you will need to find a free IP address on your 
internal network and both the gateway and DNS settings. Use 
ifconfig to discover your current IP address, route to discover your 
default gateway, ping to discover if an IP address is in use and dig 
to discover your DNS settings. 

Once you have collected the required network settings, note 
them down as you will need them later on in the install. 


Stage 2 - Download 

and burn OpenBSD 4.2 boot CDROM 

OpenBsD 4.2 can be downloaded via HTTP or FIP from a mirror 
site. Io preserve bandwidth, download the ISO image from the mir- 
ror closest to you. See http://www.openbsdorg/ftp.htm! for further 
details. The image you will require is install42.iso and will be in the 
i386/4.2 directory of most mirror servers. NOTE: If you are outside 
the USA, do not use a USA mirror as this will contravene US law 
due to export restrictions. Once you have downloaded the image, 
you will need to bum this to CDROM using CD writer software that 
supports the buming of a CD ISO image. It is important that the 
image is written correctly, as copying the ISO image will result in 
a CD that will not boot. Suitable software for this purpose includes 
K3B on the BSD / Linux platform, and Nero Buming ROM on the 
Microsoft platform. 


Stage 3 

— Install Operating system 

Insert the newly created CDROM into the CDROM of the host 
machine and reboot. After a short while you will be presented with 
the following Figure 1. After a short while, OpenBSD will boot and 
you will be prompted with (1)nstall, (U)pgrade OF (S)hell?. At 
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this prompt press | [ENTER] then [ENTER] 
again to accept the default terminal type. 
For the keyboard mapping | will be using 
uk as | am using a UK keyboard. To see the 
available list of keyboard mappings, press 
L [ENTER] and select what is appropriate 
for your keyboard Figure 2. 

You will be wamed that OpenBSD 
is about to modify the contents of your 
hard disk. Type yes [ENTER] to proceed 
and you will be prompted for the root 
disk. While OpenBSD can run in dual boot 


Table 1. Installation steps 


configurations, this is beyond the scope of 
this article and we will be allocating all of 
the hard drive to OpenBSD. Press [ENTER] 
to accept the default configuration. You will 
then be asked if you wish to use all of the 
hard drive, answer yes [ENTER] to access 
the label editor Figure 3. 


Creating the partitions and mount points 

Referring to table 2, we will configure 
the partitions prior to formatting the 
hard disk. First of all, if you have parti- 


a 


1 Get network settings 


3 Install operating system 


5 Download and install packages 


7 Test 


Listing 1. Output of ifconfig showing current IP address 


etho 
iiaeic, aolche? 192,168 .0.,147 
inet6 addr: 


UP BROADCAST RUNNING MULTICAST MTU:1500 


Link encap:Ethernet HWaddr 00:0D:61:49:7D:E1 
Beast 192 1638-70 2.255 
fe80::20d:61ff:fe49:7del/64 Scope: Link 


Mask: 255, 255.755.0 


Mie IL@ 2 IL 


RX packets:29460 errors:0 dropped:0 overruns:0 frame:0 


TX packets:14026 errors:0 dropped:0 overruns:0 carrier:0 


collisions:0 txqueuelen:1000 


RX bytes: 3 7093437 "(35.2 MB) 


TX bytes:1104087 


(iC Mis) 


Interrupt:19 Base address:0xa000 


Listing 2. Output of route -v showing default gateway 


Kernel IP routeing table 


Destination Gateway Genmask Flags Metric Ref Use Iface 
To2oGs 020 ss 25 ZOO ol. 0 U 0 0 0 eth0d 
fimk= local a ae are none tn Oke G) 19) 1000 0 O eth0d 
default border Gl020.0 UG 0 0) O ethd 


Listing 3. Output of the ping command showing an allocated IP address and a free IP address 


PING border (192. 163.0.254) 56(34) 


64 bytes from border.merville.intranet 


icsMme=—0 , 115 me 


PING 192 .065).0 1) (1927 63 0 4) 56 (34) 


bytes of data. 


(92 168705254): tenp seqql Erl—¢4 


bytes of data. 


Brom §O2 6c .0. 14) temp seq—2 Destinarion Hose Unreachable 


www.bsdmag.org 


OpenBSD Ag 


tions already installed on the disk these 
will have to be removed. Type p [ENTER] 
to view all partitions defined. If any parti- 
tions other than c: are present, delete 
them by pressing d [ENTER] followed by 
the partition letter until only the c: parti- 
tion remains Figure 4. 

To add a partition type a [ENTER] at 
the > prompt and accept the default free 
partition by pressing [ENTER]. You will 
be asked for the offset, press [ENTER] 
again and you will be prompted for the 
size. Type the partition size in Gigabytes 
you require (e.g. 2.5G for the root parti- 
tion) and press [ENTER]. You will be 
prompted for the file system type, press 
[ENTER] to accept the default. You will 
then be prompted for the mount point, 
enter this (e.g. / for root, /tmp for tmp 
etc.) and press [ENTER] to finish the 
partition entry. Repeat this process for 
the swap, tmp, var and usr partitions 
but do not specify a size for the final var 
partition -— OpenBSD will calculate the 
remainder for you. 

NOTE: You will not be prompted for a 
mount point for the swap partition. 

Finally type w [ENTER] then q [ENTER] 
followed by done [ENTER] and yes [EN- 
TER] to commit the changes to disk and 
format the drive. 


Configuring networking 

You will then be asked for a short host- 
name and if you want to configure the 
network. Type your domain name and 
oress [ENTER] and continue to press [EN- 
TER] until you are prompted for the IPv4 
address. In our test rig, this is 192. 168.0. 1, 
but your network will probably be differ- 
ent from this. Type the desired IP address 
and type [ENTER] and press [ENTER 
again to accept the default netmask if 
this is appropriate. When prompted for 
an IPv6 address press [ENTER] and for 


SD 


WARNING 


FOLLOWING THE INSTRUCTIONS 
BELOW WILL RESULT IN THE TOTAL 
DESTRUCTION OF ALL DATA ON THE 
HARD DRIVE INSTALLED ON THE 


HOST MACHINE. ENSURE YOU HAVE 
AN ADEQUATE TESTED BACKUP IF 
YOU WANT TO RETAIN ANY DATA ON 


THE TARGET 
MACHINE. 


DRIVE OF THE HOST 
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the domain name type your domain 
name (in our example merville.intranet) 
and press [ENTER] to accept. Enter 
the IP address of your nameserver 
(192.168.0.254 in our example) and 
oress [ENTER]. When prompted to use 
the nameserver, press [ENTER] and you 
will be asked for the default gateway. En- 
ter this IP address here (in our example 
192.168.0.254) and press [ENTER]. Press 
[ENTER] twice to accept the defaults and 
you will be asked for the root password. 
Type in test [ENTER] and test [ENTER] 
when prompted again Figure 5. 


Default settings for the installation 


When asked for the location of the 
sets, accept the default location of 
the CD by pressing [ENTER] 3 times. 
You will be prompted for a set name, 
type xbase42.tgz [ENTER]. The xbase42 
software set should now have a [X| 
next to it Figure 6. Type done [ENTER] 
[ENTER] to install the software from 
cdrom. Once the sets are installed, 
oress [ENTER] to perform the final con- 
figuration. When prompted to use sshd 
oress [ENTER], press [ENTER] to ac- 
cept no ntp server and [ENTER] as you 


are not using X. Respond by pressing 
[ENTER] when prompted for the default 
console, and enter your timezone and 
oress [ENTER] to accept this option. If 
you are unclear as to what timezone 
to use, type ? [ENTER] to view a list of 
timezones. 

At this point we are ready to reboot, 
type halt [ENTER] at the prompt, and 
when the blue text with please press 
any key appears, eject the CDROM and 
press [ENTER]. The machine should 
now boot into a clean OpenBSD. in- 
Stall. 


Whatever you choose provided this name is not used by another server or 


Hostname test 

Domain name merville.intranet 
Network 192.168.0.0 
IP address 192.168.0.1 
Netmask 259.209.295.0 
Gateway 192.168.0.254 
DNS 192.168.0.254 
Root password test 

MySQL root password password123 
User Account merville 

User Password testing 

Root (/) 2.0G 

Swap (swap) 0.5G 

Tmp (/tmp) 1G 

Var (/var) 9G 

User (/usr) 2G 
Keyboard uk 

Timezone GB 


client on your network. 


The domain name of your internal network. 
Your network address 


Any free IP address on your internal network. NOTE: Using an IP address 
which is is use will break your network! 


The Netmask used on your internal network 
The internal address of the router or ADSL modem on your network. 


Either the internal address of your router or ADSL modem if it supports 
DNS lookups or your ISP's DNS server settings 


An 8-12 character Alphanumeric password. We use test in the initial con- 
figuration and change it once we know the system is up and running. 


An 8-12 character Alphanumeric password. 


Auser name of your choice 


An 8 character Alohanumeric password. 


Small root partition as we will not have any user data in /home. Use a 
larger drive if you intend to use the server for storage and create a sepa- 
rate /home partition 


2 times installed memory 
Temporary storage area cleaned at each reboot 


Largest partition used for web server and proxy cache. the bigger the 
better 


Binary system files are stored here. Shouldn't need more than this unless 
you are install other software 


Use you country code 


Use your timezone setting 


OpenBSD download location 


http://www.mirrorservice.org/sites/ 


ftp.openbsd.org/pub/OpenBSD/4.2/i386/ 


PKG location 


ftp://ftp.mirrorservice.org/pub/OpenBSD/ 


4.2/packages/i386/ 
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Use your fastest local mirror 


Use your fastest local mirror 


Stage 4 - Check Networking 
Once we have configured networking 
and rebooted, we need to check that 
we have access to the internet to 
download the package files. Login 
as root with the temporary password 
(test), and at the shell prompt, type ping 
-c3 www.google.com [ENTER] and you 
should get a packet back from google 
Figure 72 Some notes on the default 
Shell. If you type part of a command, 
oressing [TAB] will attempt to complete 
the command for you. For example, to 
change to /etc, type cd /et [TAB] will 
change the line to cd /etc. 

If all is well, we can proceed to install 
the packages. If at this stage you cannot 
ping google, you will not be able install 
packages from the mirror site so further 
investigation will be required. Check 
your network settings are correct by 
typing cd /etc [ENTER] and typing the 
commands at the # prompt Figure 8. 
NOTE: Your network card may not be 
called pcnO - look for a file in the /etc 
directory called hostname.xxx where xxx 
is your network card name. If the set- 
tings in resolv.conf or hostname.xxx are 
incorrect, change them by using the vi 
editor (vi filename). Using vi is beyond 
the scope of this article, but there are 
plenty of resources on the web to help. 


Stage 5 

— Download and install packages 
If networking is OK, we need to set up the 
package source. At the prompt type: 


export PKG PATH=ftp:// 
ftp.mirrorservice.org/pub/OpenBSD/ 
4.2/packages/i386/ [ENTER] 
pkg add -r nano-2:0.6 [ENTER] 

Replace the mirror site | am using with one 
that is closer to you to improve download 
speeds. If all goes well, edit the .profile file 
in the /root directory with the following 
command: 

nano /root/.profile [ENTER] 

Then add export pxc PATH=ftp:/xxx/ 
as used above at the end of the .profile 
file. This will save you having to type the 
export command every time you want to 
install software. To check this works, type 
exit [ENTER] and then login again. We will 
now test package downloading for the 
webserver etc: 
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Table 3. Generic commands for discovering network settings 


Linux ifconfig, route -v, ping, dig www.google.com 
Microsoft XP ipconfig /all, ping 


Listing 4. Output of dig command showing DNS server in use 


, —=<2> DaiG 9.4 1-Pl <<>> www.google.com 
fe Global opEelone: — prainkemnd 
pir Cie Vall GiWwiere 

7 —>>HRADER<<— opcode: 29756 


QUERY, stacus-) NOERROR, id: 


<. tages. gr rd ra; QUERY? 1, ANSWER: > 4; AUTHORDIY: 13; ADDITIONAL: 10 
pr QUESTION SECTION: 


;www.google.com. IN A 


op ANNES Hild ss © [Syd (GM INO Ap 


www.google.com. Soe 25 Abn CNAME, www.1.google.com. 
www.l.google.com. 281 IN A 6422937 3a. oo 

ty SULBORITY SECTION: 

com. 34990 IN NS A GlLD-SsERVERS NET. 
;;, ADDITIONAL SECTION: 

A Gli DSERVE RS. NET: Zoo 1G IN oN OZ 5 oOo 0) 


;; Query time: 51 msec 
J) SERVER? 192,168.20. 254753 (192. 166.0 .254) 
,f WHEN: Sum Jan 20 12:46:14 2008 


oo MSG SIZE wewels 5Oe 


71° ee 
soading 74.2/71386/“CDBO0T 
pc¥ com#B coml apm memlL634K 253M 18624K a28=on]) 


Figure 1. Instal Operating System 


npx6 at isa port @xf8/16: reported by CPUID: using exception 16 
ccomé at isa@ port ¥4x3f8/8 irg 4: nsi6554a, 16 byte fifo 

pecomi at isa™@ port Bx2f6b/8 irg 3: nsi6S58a, 16 byte fifo 

fdcH at isa#@ port &x3fb/6 irg 6 drg 2 

fd@ at fdcB drive BU: 1.44MB 86 cyl, 2 head, 
iomask fdeS netmask ffebS ttymask ffe? 
“d8: fixed, 3880 blocks 

kcsum: sd@ matches BIOS drive 6x8 
oot on rd¥a swap on rdéb dump on rdbb 
srase “?, werase “W, kill “U, intr “C, 
CIdnstall, (CU)Jpgrade or (Sdhell? i 


18 sec 


Are 
status I 


elcome to the OpenBSD/i366 4.2 install progranm. 


his program will help you 
rrompts you can escape to a shell by typing ‘tf’ 
in []’s and are selected by pressing RETURN. At any time you can exit this 
rogram by pressing Control-C, but exiting during an install can leave your 
system in an inconsistent state. 


install OpenBSD. At any prompt except password 


Default answers are shown 


ferminal type? [vt226] 

bd(8) mapping? (’L’ for list) [none] L 

ajor tables: be br cf de dk es fr hu it jp la It 
tr ua uk us 

bd(8) mapping? (’°L’ 


lv nl no pl pt ru sf sg si 


for list) [none] 


Figure 2. Keyboard mappings 
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“* 


- 


pkg add -r waet=1.10.2p0 [ENTER] 


pko add. =r squid-2.6.STABLE13 
[ENTER] 
pko add. =" <myeql-server-5:0.45 
[ENTER] 


jusc/ local/bin/mysql. install db 


[ENTER] 
/usr/local/bin/mysqld safe & [ENTER] 
and after a few seconds [ENTER] again 


/usr/local/bin/mysgqladmin -u root 
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pkg add. =. phps=core=3 2243 


finto OpenBSD partitions 


athe offsets used in the disklabel are ABSOLUTE, i.e. 


SInitial 
a> 


System hostname? (short form, e.g. 
-onfigure 


niPv4 address for pcn@? Cor 
a1Pv6 address 


aUNS domain name? (e.g. 


Mo you want 


aLocation of sets? 


[ENTER] password 'password123' [ENTER] 


roceed with install? [nol yes 
-oolt Let’s get to it. 


ou Will now initialize the disk(s) that OpenBSD will use. To enable all 
vailable security features you should configure the disk(€s) to allow the 
reation of separate filesystems for 7, “tmp, “var, usr, and “home. 


vailable disks are: sd@. 

hich one is the root disk? (or ‘done’) [sd@] 

o you Want to use *all* of sd@ for OpenBSD? [nol] yes 
utting all of sd#@ into an active OpenBSD MBR partition 


(type °AB’).. 


.done. 


ou will 
artition. 


now create an OpenBSD disklabel inside the OpenBSD MBR 

The disklabel defines how OpenBSD splits up the MBR partition 

in which filesystems and swap space are created. 

relative to the 

tart of the disk, NOT the start of the OpenBSD MBR partition. 
Inside MBR partition 3: type AB start 63 size 3145528? 

reating sectors 63-31455278 as the OpenBSD portion of the disk. 

ou can use the ‘b’ command to change this. 

label (enter °?’ 


editor for help at any prompt) 


Label edition 


start of the disk, NOT the start of the OpenBSD MBR partition. 
Inside MBR partition 3: type AB start 63 size 3145520? 
reating sectors 63-31455276 as the OpenBSD portion of the disk. 
ou can use the ‘’b’ command to change this. 
Initial label editor (enter °?’ for 
> p 
levice: /dev/rsd&c 
ype: SCSI 
isk: SCSI disk 
label: UMware Virtual 5S 
ytes/’sector: 512 
ectors’track: 63 
tracks/’cylinder: 255 
ectors/’cylinder: 16665 
-ylinders: 1958 
total sectors: 
free sectors: 
pm: 7268 


help at any prompt) 


31457288 
31455287 


16 partitions: 
size offset 
31457288 4) 


fstype [fsize bsize 
unused 4) 4) 


cpg ] 


Configoring networking 


foo’) test 
the network? [yes] 

Vailable interfaces are: pcn@. 

hich one do you wish to initialize? (Cor 
symbolic Chost) name for pcen#? [test] 


*done’) [pcn@] 


athe media options for pcn@ are currently 


media: Ethernet autoselect (Cautoselect) 
o you want to change the media options? [nol] 
"none’ or ‘dhep’) 192.168.6.1 
etmask? [255.255. 255.6] 
for pen@? (or ‘rtsol’ or 
interfaces to initialize. 
*bar.com’ ) 


(IP address or ‘none’ ) 


*none’) [none] 
0 more 
[my.domain] merville. intranet 


NS nameserver? [none] 192.168.808.254 


fJse the nameserver now? [yes] 
aefault 


IPv4 route? (IPv4 address, ‘dhcp’ or ‘none’) 192.168.8.254 
dd net default: gateway 192.168.808.254 

edit hosts with ed? [no] 

to do any manual network configuration? 
assword for root account? (will not echo) 


assword for root account? (again) 


[no] 


install the sets? 
(cd disk ftp http or 


Let's 
*done’) 


Rout Password 
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mysql -uroot -ppassword123 [ENTER] 
This should display the MySQL prompt. 
Type exit [ENTER] to return Using nano 
or an editor of your choice, create a file 
/etc/rc.conf.local and add the following 
line: 


MYSQL=YES 


cd /usr/local/share [ENTER] 

wget http://prdownloads.sourceforge.n 
et/webadmin/webmin-1.390.tar.gz 

tar -xvzf webadmin/webmin-1.390 
-tar.gz [ENTER] 
cd webmin-1.390 
./setup.pl [ENTER] 


Then follow the prompts. 


nano /etc/rc.conf [ENTER] 

Change httpd_flags=NO to httpd_ 
flags="" 

Save and quit 
/usr/local/sbin/phpxs -s [ENTER] 


cp /usr/local/share/examples/php5/ 
php.ini-recommended /var/www/conf/ 
php.ini [ENTER] 

pkg add -r php-mysqi-5.2.3 |ENTER] 
/usr/local/sbin/phpxs -a mysql [ENTER] 
Edit 
uncomment (remove the # 
following: 


/var/www/conf/httpd.conf and 
from) the 


#AddType application/x-httpd-php .php 


On the line that says Directorylndex 
index.html Change this to read: 


DirectoryIndex index.html index.php 


Create a test script phpinfo.php in 
/var/www/htdocs with the following 
content: 

<?php phpinfo(); ?> 

Save and quit 


If you wish to contribute 

to BSD magazine, share 
Configure Squid Add this below the http_access allow your knowledge and skills with 
Create the cache: manager localhost other BSD users — do not 

squid -2 (ENTER) ee ee ee ses: hesitate — read the guidelines 
on our website and email us 


Add the below at the end of /etc/rc.c/local: Add this line below acl connect method con- a a. 
your idea for an article. 


nect (replace network range as required): 
/usr/local/sbin/squid 

acl local network. sre 192.2168.0.1= 
Edit the /etc/squid.conf file: 192.168.0.254 


comp42. tgz J 0 | Nn 0 U r 


man42.tgz 
game42.tgz 
xbase42. tgz 
[ xetc42.tgz 
[ xshare42.tgz 
[ xfont42.tgz 
[ xserv42.tgz 
Set name? (or ‘done’) [bsd.mp] xbase42.tgz 
bsd 
bsd.rd 
bsd.mp 
base42. tgz 
etc42.tgz 
mMisc42.tgz 
comp42. tgz 
man42. tgz 
game42. tgz 
xbase42.tygz 
xetc42.tgz 
xshare42.tgz 
xfont42.tgz 
xserv42.tgz 
Set name? (or ‘done’) [bsd.mp] _ 


Figure 6. xbase42 software set 


P NOHENILTLANGutextocencodittactnticedet saCtT Ue paeeenmEe 


glogin: root 
Password: 
MpenBSD 4.2 (GENERIC) #375: Tue Aug 28 16:38:44 MDT 26867 


Blelcome to OpenBSD: The proactively secure Unix-like operating system. 


lease use the sendbug(1) utility to report bugs in the systenm. 
iefore reporting a bug, please try to reproduce it with the latest 
Mersion of the code. With bug reports, please try to ensure that 
penough information to reproduce the problem is enclosed, and if a 


iknown fix for it exists, include that as well. = 
| im ~6©BBecome BSD magazine 


grou have mail. 

Terminal type? [Lvt226] 

Npicn, elcome eat: Author or Betatester 
ING wow. 1.google.com (64.233.183.99): 56 data bytes 

4 bytes from 64.233.183.99: icmp_seq=48 tt1l=246 time=59.175 

fo4 bytes from 64.233.183.99: icmp_seqg=1 tt1l=246 time=49.694 

4 bytes from 64.233.183.99: icmp_seqg=2 tt1l1=248 time=68.714 

f--- WHWHW.1.google.com ping statistics --- 

f3 packets transmitted, 3 packets received, 6.8% packet loss 


fround-trip min/avg/max/std-dev = 49.8094/58.994/68.714/8.813 ms As rs) betatester you can 
——— the form of our quarterly. 
cata falda pnt | It can be you who read 


nameserver 192.168.8.254 
f cat hostname. pcns 


linet 192.168.8.1 255.255.255.8 NONE : the articles before 


route get WWW. google.com 


route to: nf-in-f147. google.com : everybody else and suggest 


Klestination: default 
mask: default 7 
EAE IKGCaSE im the changes to the author. 

interface: pcn®@ 
if address: test 

flags: <UP,GATEWAY, DONE, STATIC> 

use hopcount mtu expire 
3 4) 2) 4) 


Figure 7. Checking Networking 


m Contact us: 
Figure 8. The defoult shell edit ors @) bsd mag.org 
www.bsdmag.org 
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prompts. When prompted to add user to 
other groups, add the wheel group. Change 
the root password to something secure: 


Please remember to save before you 
quit. 


Add default user 

and change root password 

At the shell prompt execute the following: 
[ENTER] and follow the 


passwd [ENTER] 


And follow the prompts. 


adduser merville 


Apache 


OpenBSD 


It Worked! 


If you can see this page, then the people who own this host have just activated the Apache Web server software 
included with their OpenBSD System. They now have to add content to this directory and replace this placeholder 
page, or else point the server at their real content. 


Documentation 


The Apache documentation has been included with this distribution. 
Especially read the SSL documentation carefully. 
Also be sure to read the ssl(8) and httpd(8) manpages. 


Graphics 


You are free to use the image below on an Apache-powered web server. 


Figure 9. Apache 


‘configure’ '--with-apxs=/usr/sbin/apxs' '-without-mysq|' '--enable-xm!' 
‘-enable-wddx' '--enable-cli' '--with-iconv=/usr/local' '--with-gettext=/usr/local' 
'~enable-dio' '--enable-bcmath’ '-enable-session’ '--enable-trans-sid' 
‘~enable-calendar' '--enable-ctype' '--enable-ftp' '--with-pcre-regex' 
‘-with-posix' '--enable-sockets’ '--enable-sysvsem' '--enable-sysvshm' 
‘~enable-yp' '--enable-exif '--without-sqlite' “-without-pdo-sqlite’ 
‘-wwith-pear=/usr/local/share/phpS' *--enable-fastcgji’ 
‘~enable-force-cgi-redirect' "--enable-shared' '‘~-disable-static' 
'~disable-+rpath' '-with-config-file-path=/var/www/conf 
‘-enable-inline-optimization’ '--with-pic' '--with-openssl' '--with-zlib" 
‘-prefix=/usr/local' '~sysconfdir=/etc' '-mandir=/usr/local/man’ 
'-infodir=/usr/local/info' 


IPHP Fxtension 1200606 


Figure 10. Apache Web Server 


Login to Webmin 


You must enter a username and password to login to the 
Webmin server on 192.168.0.1. 


—— 
[-———— 
Login | _Clear | 


[~ Remember login permanently? 


Username 


Password 


Figure 11. Login to Webmaster 


The requested URL could not be retrieved 


While trying to retrieve the URL: http://2/ 
The following error was encountered: 
Unable to determine IP address from host name for z 
The dnsserver returned: 
Name Error: The domain name does not exist. 
This means that: 


The cache was not able to resolve the hostname presented in the URL. 
Check If the address Is correct. 


Your cache administrator is webmaster. 


Generated Mon, 21 Jan 2008 01:30:39 GMT by test.merville, intranet (squid/2. 6.STABLE13) 


Figure 12. Webmaster 
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Testing 

Now reboot the machine with a HALT 
then press [ENTER].when prompted. 
First, point your browser to_ http:// 
192.168.0.1 you should see a web page 
similar to Figure 9. 

Point your browser at _/hitp: 
//192.168.0.1/phpinfo.ohp. You should 
see a web page similar to Figure 10. 
Point your browser at http://192. 168.0.1: 
10000 You should see a web page 
similar to Figure 11. Finally, change your 
proxy server settings on your browser to 
192.168.0.1 using port 3128. You should 
be able to browse the net. Point your 
browser at http://z and you should see a 
screen similar to Figure 12. 


Cleaning up and further improvements 
This configuration, while reasonably 
robust requires a lot more work to 
be highly secure in today’s internet 
environment. For instance, if the rig is 
install behind a firewall SSH, Webmin 
and Sendmail will not be visible to the 
outside world. 

However, if these programs are 
exposed there is the possibility of an 
attack. Read up on security and only run 
processes that are absolutely vital. SSH 
is used for remote management and 
Sendmail is the default SMTP mail server. 
For normal day to day operations it best 
practice to login as a normal user then 
su to root. 
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Further reading 


http://www.openbsd.org 
http://www. apache.org 


http://www. squid-cache.org 
http://www.mysq/.com 
http://www. php.net 
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as Desktop 


Petr Topiarz 


This guide is intended for people who use Linux or FreeBSD and would like to give 
OpenBSD a try on the desktop. The guide does not claim to be en expert's advisor, so 
intentionally some general unix routines are also explained, while others simplified. 


any tutorials have been written on using OpenBSD 

as a server, however, few deal with OpenBSD as the 

main desktop and everyday office work and intemet 

box. Surprisingly, that is what OpenBSD can do very 
well too. The jump from 4.1 release to 4.2 was great for Gnome 
users, as Gnome has been updated from 2.10 to 2.18. The new 4.3 
release has besides the update of Gnome 2.18 to 2.20 brought a 
lot of useful packages especially in printing area, e.g. Gutenprint or 
HPLIP has been introduced and Firefox and Thunderbird updated 
too. For the coming release, Ekiga is in the ports for telephony and 
the KDE users can finally enjoy the advantage of K3B for burning 
CDs. So overall the improvements are huge. 

However in this article we are going to see more practical 
information on how to make life with an OpenBSD desktop really 
easy. Let’s start with the basics. We will add a group, user, mount 
devices, deal with the network and set up a printer. 

Adding a group is basic if more people login to the PC, so 
that they can share documents: 


S$ groupadd -g 1200 friends 


creates a group with id number 1200 and name friends and the 
following: 


S useradd -u 500 -g friends -G wheel,operator -k /etc/ 


skel -s /bin/sh -d /home/caroline -m caroline 


creates a user caroline as a member of friends and with ad- 
ministrative power (wneel, operator). Interesting is that with a 
-~a Switch you can identify a different home directory than the 
default. Another practical stuff is to omit -m if your home directory 
already exists. 

Similarly, you can add other users. Of course, change the -u 
number and -a directory. e.g.: 


S useradd -u 501 -g friends -G wheel,operator -s /bin/sh 
-d /mnt/usb/my data peter 


Now to set a password and allow people to login you need to: 
S$ passwd caroline 


which will ask you for the password and then for repeating it. 
Noticeable thing is that the system, for security reasons, does not 
show anything while you write the password, it does not even print 
stars or other cryptic symbols, however it accepts your typing. 

Now we will allow Caroline to access usb and cdrom de- 
vices. First we need to create mounting points 


S mkdir ./mnt/usb /mnt/ cdrom 

then we have to dedicate these to caroline 

S chown caroline /mnt/usb /mnt/cdrom 

similarly we have to adjust the permitions in /dev 
S$ chmod 660 /dev/sd0i /dev/cd0a 


and now we are going to send the information about mounting 
points to /etc/fstab 


S echo "/dev/sd0i /mnt/usb msdos rw,nodev,noexec,nosuid,n 
Saute 0:0 " SS /ete/fatab 


and 


S echo "/dev/cd0a /mnt/cdrom cd9660 ro,nodev,noexec,nosui 


d;noauto 0 0" >> /ete/tstab 
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and finally there is one and last change, 
we need to inform the kernel about our 
idea to let users mount devices. So we 
write to the configuration: 

S echo "kern.usermount=1 

# enable user mounting devices" >> 


/ete/sysctl 
and if you want to try that immediatelly: 
S sysctl -w kern.usermount=1 


now feel free to plug in a usb stick and 
you do not have to be a root to type: 


S mount /mnt/usb 


and you are there! 

To make the nice feeling more com- 
plete, KDE, Gnome, and Rox environments 
will allow you to mount these devices just 
by clicking at the mounting points, which 
makes it even more fun. Now our Caroline 
can login, mount CD, or USB. So, how do 
we start the graphics? We need to make a 
configuration file where we tell the system 
which graphical environment we would 
like to use. Let's be very spoiled: 

Make sure you are in your home 
directory: 


S cd /home/caroline 
create the config file 


S ouch «<einitre 

This will ensure, that our settings is valid 
both for graphical login and the black ugly 
command line: 

S ln -s 


.Xinitre .xsession 


Now the command to start kde session: 


S echo.“ exec startkde " >> .x1initre 


And finally we can happily type: 
S startz 


and if things go well we will enjoy a nice 
environment, almost like in the spoiled 
Linux distros of today. 

If you want to enable graphical login 
by default, go to /etc/rc.conf and change 
xdm flags=NO tO xdm flags=''. For a really 
nice look this would need a little tuning, 


but basically it will work. Maybe you will 
argue, that KDE environment is not part 
of the OpenBSD release, of course not, so 
lets add it 


S$ export PKG PATH=ftp:// 
ftp.openbsd.org/pub/OpenBSD/4.3/ 
packages/i386 


as you see | am expecting you to run a 
regular simple PC, so change the archi- 
tecture at the end of the line if you have 
PPC or AMD64 

S pkg add -v kdebase kdemultimedia 
mozilla-firefox mozilla-thunderbird amarok 
gwenview 

Ok, | have made a random choice, but 
you can similarly add many more, you will 
find them at http://openports.se/ which is a 
very clever web interface providing detailed 
info about packages and their sources 
called ports. A very important point here is 
to read the post install messages and do 
what they instruct you to do. Advices are 
simple and exact. 

Now having such a nice graphical 
environment it would be a shame to be 
without a network. 


S ifconig —a 


will show you the interfaces, among them, 
for example the ethernet £xpo or wireless 
wid Will appear s dhclient £xpo will con- 
nect you to the net if you have the line 
plugged in and the net is not blocked. 

If you want it after every start of the 
system, we need to write a configuration: 


S$ touch /etc/hostname.fxp0 
S$ echo " dhcp NONE NONE NONE " >> 


/etc/hostname.fxp0 


If you come to a place with wireless net- 
work you can enjoy the advantage of the 
genius simplicity of OpenBSD. 


S ifconfig wid up 


S ifconfig -M wid 


will provide you with a list of networks 
around, you can pick one 


S ifconfig wi0 nwid CoffeShopNetwork 
S$ dhclient wid 


and there you go... Well unless the network 


is marked private, then you need the 
password, in our case Jimmy, and then: 
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S ifconfig wi0 nwid CoffeShopNetwork 
nwkey Jimmy 


S dhclient wid 


and there you go really straight to the 
internet! In case you want your PC to 
remember this setting, then 


S touch /etc/hostname.wi0l 
S$ echo " dhcp nwid CoffeShopNetwork 


nwkey Jimmy " >> /etc/hostname.wi0 


and after the restart, if the network is run- 
ning, you will automagically connect to it. 

OpenBsbD is definitely a leader in us- 
ing wireless technologies and allows you 
to use cards such as those with Prism 
Intersil, Asus or TNETW chipsets with their 
native drivers. They have been reversely en- 
gineered by geeks and experts to avoid us- 
ing the Windows’ driver with ndiswrapper 
as Linux and Freebsd or Netbsd tend to do. 
Now the last thing that you need to have 
running on a laptop or a desktop is printing. 
That used to be a real issue earlier how- 
ever with the latest releases of OpenBSD it 
is merely fun. Just add few packages and 
configure it with a web interface: 


© pkg add -v cups foomatic-db 
rooOmatvc=-ilters ghostscript. mplip 


that should be enough for most usual print 
ers, then you enable and start the cups 
print-server. 


S /usr/local/sbin/cups-enable 


S /usr/local/sbin/cupsd 
fire up your web browser and type: 
Neepts 7 lease eoel/ 


which will bring you to a very friendly web 
interface, that allows you to add a printer 
or configure the print-Sserver to share print- 
ers. 

An OpenBSD machine can also 
run JAVA, FLASH plugin, play realplayer 
streaming, and emulate Linux environ- 
ment, but that would need a little more 
time to describe. If you are interested and 
cannot wait, then | strongly recommend 
http://www.openbsd101.com/  and_http:// 
www.softwareinreview.com/bsd_tutorials/ 
using_openbsd_4.2.html as well as the 
famous _http://wwwonlamp.com/_ server, 
where you can leam a lot of wisdom from 
the real BSD gurus. 
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inside the 


PBI system... 


Svetoslav P. Chukov 


PBI stands for PC-BSD Installer. It is a unique and very useful package management 
system. If you are familiar with other systems, you will notice some similarities and 


also some differences that make It unique. 


f one just clicks on the .pbi file, an automated installer 

appears and offers to guide the user through the 

installation process. On the whole this is probably like a 

wizard that helps people install the program, and | would 
say it is very successful in that task. 


Features 
Every operating system is based on some small parts of 


software that create the whole solid foundation of the OS. So, - 
| would say that these small pieces in the GNU/Linux world - 


are the packages, but it is interesting how this question is 


answered in the PC-BSD world. What are these parts that - 


PC-BSD is built on? The packages of FreeBSD and of the 


PBI. They create the system and everything that lies on it; - 


libraries, applications and all other data need to be used. 
For successful integration of an operating system into the 
market, the OS needs to be designed for that market. So, a 
server OS is designed with the main goals of being secure 
and stable, a desktop OS is designed to be user-friendly and 
easy to use. Everything is built for and aims to be used in a 
particular target market. PC-BSD itself is a desktop-oriented 
OS. Yes, and | would say that it really achieves that goal 
pretty well. But this is not all. The basics of its Success are 
mostly because of the great system called the PC-BSD 
installer What exactly is so great in PBI? What makes it 
special for installing software? The answer: its ease of use 
and its simplicity. The basic reason why | think PBI is so 
successful is that it contains all the data it needs to install 
the application. So, if the application needs library X, then the 
installer should contain that library.In the installation process 
it should extract and prepare that library to work, and that 
makes the application work properly. 

This design concept solves an entire pool of problems and 
troubles with package dependencies and inconsistencies. One 


other big plus for PBI is the support for advanced scripting. That 
is a very huge plus for it. 
PBI offers: 


A completely graphical installation in step-by-step style. 
Scripting Support - a really powerful feature that makes PBI 
not only an executable installer, but an installer that can 
think. 

A check for package integrity. 

Icon Management - this allows developers to set icons for 
both the desktop and the K-Menu. 

Error Detection, if something goes wrong with the 
installation 

Easy installation and un-installation. There is a utility to do 
this in the graphical environment, but a command line tool 
is also available. 


Understand what is inside 

Basically, the front side of PBI is a visible-to-the-user, nice, 
user-friendly graphical interface, but the engine under the 
hood is nothing more than FreeBSD packages. Yes, PBI is 
something like an upgrade of FreeBSD packages, and it 
adds additional functionality. So, instead of being just a binary 
package that should be extracted to result in useful files, PBI 
consists of several parts that empower the plain packages 
with extra features. And these extra features make the PCBSD 
installer flexible and scalable. What | want to do is to show 
you what exactly is inside a PBI package, how it works, how it 
processes data, and how it decides to do this instead of that. 
After this article you will be able to understand what actually 
is a PBI package and the magic inside it.We will start with the 
setup script. The purpose of the setup script is to setup the 
first actions and configurations of the subsequent operations. 
And, the next-executed script sets up the environment and 


BSD 2/2008 


options for work. All the pre-tasks need 
to be done, and the control of the 
installation is taken up by the next script. 
Basically this is a very comfortable 
model, because of the modularity of 
the scripts and processes. One could 
separate some tasks to different scripts 
easily, without any of them interfering 
with each other. 

Probably at this point you have some 
questions, like, scripts? In PBI? What 
scripts?. Yes, exactly, what scripts? The 
scripts that manage the installation and 
the un-installation processes, and the 
scripts that prepare the processes and 
make it possible for a simple package 
installer to interact with the user. 

OK. PBI is not just a plain archive, 
but it is much more than that. It is a 
package with binary data and executable 
scripts that do some work. Basically the 
structure is very simple: the scripts are 
executed in the installation and the un- 
installation processes, and they handle 
all the necessary tasks. So, lets take 
a closer look at this. | assume for our 
example that work is to be done on the 
gFIP. This isacomfortable GIK+ ftp client 
without many requirements for libraries 
and resources. So, it is suitable for our 
uSe. 

When one starts’ installing a 
particular .pbi file, a nice, user-friendly, 
wizard-like installer appears. So, the 
next step is to specify the folder where 
the program files are to be put, and then 
the actual work of installation begins. 
As you may notice, it is clearly a simple 
procedure with two or three clicks on 
the Next button. But behind these three 
clicks a huge amount of work is done. 
There are pre- and post-installation 
scripts that need to be explained at this 
point. 

These are the ppr.setupScript.sh 
and psi.FirstRun.sh. 

The ppr.FirstRun.sh Script will run 
before the program is extracted into the 
target directory. | understand that you 
can not wait to see what is behind this 
script, and how it works to benefit the 
whole PCBSD installer Lets proceed 
deeper..;see Listing 1, which is the code 
fragment of the ppr.FirstRun.sh 

As you may see, this script contains 
logic that makes the decision whether 
to be installed or not to be installed. 
This example is pretty simple and 
understandable. Now | would say 


1B PCeSD Sofware Installer 


Inside the PBI system... g 


gFTP 2.0.18 


Click Next to start the install of oF TP. 
Free Transier Client 


Vendor gFTP Tzam 
URL http attp. seul. org 


Cancel 


Figure 1. Start the PC-BSD installer 


Listing 1. Code fragment of the PBI.FirstRun.sh 


Fein Sin 


it | -e '/usr/ local/bin/gttp” "| 
then 
# Looks like FF is installed, ask if they want to remove the old one 
ls -al /usr/local/bin/gftp | grep Programs 2>/dev/null 
die ale ee he SOP 
then 
kdialog ==yesno “GQNIP ws already anstalled, do you wish co unanstall 
al eee 
bie All eet eo en Ore, | 
then 
EE="” is -all\/usr/local/bin/gttip | cut =d >’ =f 2 i) cut -—d “/" Sr 3" 
echo oft) |Noneo GHP 2-/dev/ null 
RE AS ne SOE 
then 


PBIdelete -remove S{FF} 


else 
kdialog --sorry "gFTP could not be automatically removed... Please 
remove it in Add / Remove Programs and try again." 
return 2 
fi 
else 
kKdiallog ==sorry “GRIP as already insvaliled, 1b must. be uninstalled 
benore Noading ehas PEI 
return 2 


fi 


else 
*# Could moe tind a link Lo Pei Lolder 
kKdialog ==sorry “GhIP ws already ianstalled, wt muse be uninstalled 
before loading this PBI" 
return 2 
fi 
fi 
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Listing 2. Code fragment of PBI.SetupScript.sh 


Im =-s /Programs/S{PROGDIR}/.sbin/gttp /usr/ilocall/bin/gtftp 

In -s /Programs/${PROGDIR}/.sbin/gfitp-gtk /usr/local/bin/gftp-gtk 

im =s /Programs/S{PROGDIR}/.sbin/gtto-text /usr/ llocal/bin/gttp-text 

im =s' /Programs/S{PROGDIR} /man/manl/gqrtp. soz /usr/local/man/manl/gqttp. |. gz 
ln -s /Programs/S{PROGDIR}/share/gftp /usr/local/share/gftp 


/Programs/${PROGDIR}/bin/gftp 
# Copy over all the LANG files 
LANGFILE="gftp.mo" 
cd /Programs/${PROGDIR}/locale 
Or ian ls. 
do 
mkdir -p /usr/local/share/locale/${i}/LC MESSAGES >/dev/null 2>/dev/null 
cp /Programs/${PROGDIR}/locale/${i}/S{LANGFILE} /usr/local/share/locale/${i}/LC_MESSAGES/${LANGFILE} 
done 
chmod +x /Programs/ >{PROGDIR}/bin/gttp 
echo: “LAUNCHCLOSE: /usr/ local/bin/ gitp" 


Listing 3. Uninstall with PBI.RemoveScript.sh and PBI.RemoveScript2.sh 


#!/bin/sh 
af | -e "/Programs/gFETP2.0.18/PBI.RemovesScript2.sh’ | 
then 


sii Programs; gE IP2. 0. 13/ PBI Removescripe2ssh "Sia" 

fi 
Cian /Progtans, GaiP2 ses 

#!/bin/sh 
rm =tR /usr/ lioeall/bim/ gtitp-gtk 
rm =tR /usr/ local /bin/gttp-rext 
rm =fR /usr/ local/bin/gttp 
rm =tR /usr/ local/man/manl/gttp. 1. gz 
rm -£R /usr/ilocal/share/gttp 

# Remove the old locale files since we are uninstalling 
LANGFILE="gftp.mo" 
cd /Programs/${PROGDIR}/locale 
FOr an sho. 
do 

rm /usr/local/share/locale/${i}/LC_ MESSAGES/$ {LANGFILB} 
done 
gf | {2 “CpreriAr™ | 
then 


# Ask if we want to remove the user profiles 


kdialog --yesno "Do you want to remove gFTP user settings?" --title "Remove user settings" 
ol at as a os OU 

then 

cd /home 


for i an. is” 
do 
if [| -e "/home/S{i}/.gito” | 
then 
iene, OMe, =| i) Grip 
fi 
done 
fi 
fi 


sed 's:prefix=/usr/local:prefix=/Programs/gFTP2.0.18:g' /Programs/${PROGDIR}/bin/gftp > tempfile && mv -- tempfile 
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‘B PCesSp Software Installer 


gFIP Free Transfer Chent 


ONU GENERAL PUBUC LICENSE 
Version 2, June 1991 


Copy night (C) 1999, 199] Free Softvrare Foundation, Inc. 

51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, US4 
Everyone is permitted te copy and distribute verbatim copies 
of this license document, but changing it is not allowed. 


Preamble 


The licenses for most softw are are desiqnedts take avay your 

freedom to share and change it. By contrast, the GNU General Public 
License is intended to querantee y our freedom to share and change free 
softw are-te make sure the software is free for all its users. This 

General Public License applies to most of the Free Softer are 

Foundation’s software and ts any other program whose authors commit ts 


%) | Agree 


Figure 2. Agree to the terms of the license 


how surprised | was when | saw for 
the first time these lines of code. | 
expected to see more universal code 
with limited opportunities for user 
interaction. Instead, | saw code that is 
highly manual and modular. In fact, this 
is a SHELL script, and it is based on 
command-line tools and applications, 
but it also uses a GUI application to 
interact with the user. And of course the 
script could be altered to any new form 
you want. Since it is a SHELL script, 
you could execute another tool, an 
application, an interactive shell, or even 
another script, if you wish. That gives the 
feature of being easily extensible. So, 
basically this script aims to do all the 
steps needed. Is PBI already installed or 
not? Is there an older or newer version? 
Are there perhaps corrupted files in the 
target directory? These are some of the 
questions this script should answer. 

OK. We have the FirstRun script, but 
what about the second run? What about 
the script that does the work after the 
package has been extracted? That is the 
place for the pB1.SetupScript.sh. 


@ PC350 Sotwan Pratl 


FTP 


Free Tramsies Cleon! 


Pees cele cheer poem wale ihes epee ten te 
be watalled The seppasted deecery baler 
eter the bert cath 


bed Sled ice Bie ectorg 


(Prepon TP O18 


It handles additional questions like: 
How to set up the application and its 
libraries? How to put the data files so they 
are visible to the application? What about 
local files? Or new language support? So, 
after the package has been extracted into 
the target directory, this script takes on 
the job of setting up and solving all these 
questions. Of course this executable file 
is @ SHELL script and that gives us more 
oppor-tunities for work. | like the SHELL, it 
is well known to the users of all the UNIX- 
like systems, and such a script could be 
easily changed to match new criteria or 
goals. 

Lets see now how actually this 
executable works. For that reason take a 
closer look at the code itself. (See Listing 
2.) 

This code just creates symbolic links 
between the real files at the /Programs 
folder and the folders in the SPATH at 
/usr/local. After that, other additional 
data files needed for the application’s 
work are prepared. So, basically the 
target directory is the directory that 
contains the files visible in the SPATH 
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Figure 4. Installation 
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Figure 5. Sit back and relax while the extracting of 
the files is done 


variable, and thatmakes them visible 
to the system. Every file needed by the 
application should be visible to the 
system and copied or linked to the 
folders in the spat. 

That was for the installation tasks; let's 
see how the un-installation works. 


The remove actions are taken 
at un-install time by’ the © script 
PBl.RemovesScript.sh. Basically, it 


runs the next following script, called 
PBI.RemoveScript2.sh. (See Listing 3.) 


The result 

You have now seen an example of the 
PC-BSD installer from the inside, and you 
could imagine how all the parts of the 
installer work together Now | will show 
you what is the result of this. It is really 
pleasant. The first time | saw PBI, | did 
not understand how it works, but after 
a few hours of in-depth experience with 
PC-BSD, | got it. So, here are the actions 
of PBI shown on screenshots: see Figures 
1-5. 


Summary 

| would say PBI is a wonderful way to 
manage an application, and | really 
liked it because of the way it works. In 
the world of Unix the ordinary method of 
installingan application or data on your 
computer is via packages. Many systems 
use many different package managers, 
but | was so impressed by PBI because 
of the  step-by-step-and-you-are-done 
style in which it works. | am a technically 
oriented person, but | always appreciate 
good and valuable solutions that make 
my work easier. And PBI is one of them. 
It makes software management tasks 
moreunderstandable to the user. 
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Connecting 


to Other IM networks 


Eric Schnoebelen, 
Michele Cranmer 


You have taken the plunge, you have adopted Jabber as your instant messaging 
system of choice. How do you keep in contact with all your poor, un-enlightened 
friends who are still using the proprietary walled garden networks? 


he solution is designed into Jabber/XMPP. The 

solution is transports, a mechanism to allow the 

creation of a gateway between the jabber network 

and closed/proprietary networks, such as Yahoo! 
Instant Messenger, Microsoft Live Messenger, AOL Instant 
Messenger, ICQ, China’s QO, FaceBook, Poland’s GaduGadu 
and other networks. GTalk is not listed as GTalk is XMPP- 
based and already federating, all it takes to converse with 
friends on Glalk is to add them to your roster. 

Unfortunately, you can't connect to the Walled Garden 
networks without having an identity on those networks. 
However, using the transports, you can use your favorite Jabber 
client, and connect to all the networks you have identities on. 
All the roster information is contained in one location, on your 
jabber server. 


Why not use a multi-protocol client? 

Multi-protocol clients have to focus on supporting lots of 
protocols, and probably don’t support them all as well they 
might. Jabber-only clients support Jabber extremely well, and 
leave the supporting of the other protocols to the transport, 
installed on the jabber server. Granted, the Jabber transports 
probably wouldn't be nearly as good as they are, if it weren't 
for the people working on reverse engineering the proprietary 
protocols for the multi-protocol clients. 


Lets build some transports 

We are going to look at building the following transports and 
configuring them to work with the jabberd2 server we have been 
configuring. The transports are for AOL, MSN and Yahoo!. 

The transports we're building are all written in Python. The 
AOL and MSN transports use the Twisted framework while the 
Yahoo! transport uses the xmpp.py framework. Obligatory pkgsrc 
recommendation: | have packaged all of pyAIMt, PYMSNt and 


YIMt in pkgsrc-wip On Source Forge. The packages are py- 
jabber-aim-t, py-jabber-msnt, ANd py-jabber-yahoo-transport. 

Changing into the appropriate directory, and typing [b]make 
install Will download, will build and install the packages and 
all their dependencies. FreeBSD has pyAIMt and pyMSNt in the 
ports collection as net-im/jabberpydim and net-im/jabber- 
pymsn. Ok, now for building things the hard way. 


Listing 1. Needed Packages and where to find them 


Lwsted=2 2.5.0 


http://tmrce.mit.edu/mirror/twisted/Twisted/2.5/ 


pyOpenSSL-0.6 


http://dl.sourceforge.net/sourceforge/pyopenss1l/ 


ima game = 1). 16 
hEtp://ettbot.crg/doewnloads/ 


dnspython-l.o.0 
http://www eduspytuen.org/ kits/ il. 6.0/7 


xmpppy-0.4.1 
Vahoo-Eransporre—0.4 


http://dl.sourceforge.net/sourceforge/xmpppy/ 


Pyaim—E—=O2 ca 
http://pyaimt.googlecode.com/files/ 


Dymisime=0 eles 
http://delx.net.au/projects/pymsnt/tarballs/ 
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Listing 2. Packages and their dependencies 


PyetmM—c—0 aca 
Twisted=2,5,.0 
Imagine-1-1.6 
pyOpenSSL-0O.6 


Dymsie= ORS 
Iwisted-2, 5.0 
imeaqune=—il—176 
pyOpenSSL-0O.6 


VanoO-EranspOre— 0.4 
xippy—0.4 71 
dnsoy enema 0 


Listing 3. Working pyaim-t configuration from jabber.cirr.com 


<pyaime> 
_!-= The JabberipD of ithe Eranspore., ==> 


—jtd-eim, jaboer curr, com / 7 1d> 


<!/——" fhe JabberniD: O& Ehe Conkenence oom handler. 


<lo= GROUPCHAT 2S NOT STABLE, VET ==> 


<cont j1d0>chat ,aim. jabber.cirr.com</ cont ,i1d> 


<!-- The component JID of the transport. Unless 
Vou re doing 
—- clustering, leave this alone --> 


Gl ecole pie peubinil< /evommer ales => 


Cia They locacion OG ENS spool sir reecLory.., if 
relative, relative to --> 

<lo= che sro dir, “Do noe include une jid of Ene 
ELanovOLe | sa7 


<spooldir>/var/spool/jabberd</spooldir> 


<!-- The location of the PID file. if relative, 
relative to Che sre dir. ==> 
</—- Comment: 0ub if you Oo NOs Wane are) ie > 


<pid>/var/run/jabberd/pyaimt .pid</pid> 
<!-- The IP address of the 
main Jabber server --> 


<mainServer>jabber.cirr.com</mainServer> 


<!-- The JID of the main Jabber server --> 


<mainServerJID>jabber.cirr.com</mainServerJID> 


<!-- The website of the Jabber service --> 


<website>http://jabber.cirr.com/</website> 


<!-- The TCP port to connect to the Jabber server on 
--> 

<J-—  (Ghie Ss Ene etait Lor JeoDere2) =—— 
“PoObe> 534 /</ port 


<!-- The TCP port that the web admin interface will 
answer on --> 

<!-- (uncomment to enable) --> 

<!-- <webport>12345</webport> --> 

<!-- The authentication token to use when connecting 
eo) 


— the Jabber server --> 


KSECLEL DH KKAKKKAKKKKKKKKS /SACret> 


<!-- The authentication token to use when connection 
to 
— the web interface --> 


<websecret>letmein</websecret> 


<!-- The default language to use (for error/status 
messages) --> 

<lang>en</lang> 

<!-- The hostname of the AOL login server you wish 


EO COMmdecce CO =—> 


<aimServer>login.oscar.aol.com</aimServer> 


<!-- The port of the AOL server you wish to 


COmmeCcEr co —=—> 


<aimPort>5190</aimPort> 


<!-- Send message on successful registration --> 
<registerMessage>You have successfully registered 


with PyAIMt</registerMessage> 


</-- You can choose which users you wish to have 
as a0Imniserators. 
—- These users can perform some tasks with Ad-Hoc 
commands that 
= OCners «Cannot = 
<aamine> 
<jid>erictjabber.cirr. com</i1d> 


</admins> 


<!-- You can select which event loop PyAIMt will 
Sew LES propaebihy 


— safe to leave this as the default --> 
<!-- Use epoll for high-load Linux servers running 
kernel 2.6 or above --> 


<< reactor -epoll</reactor-—-—-> 


<!-- Use kqueue for high-load FreeBSD servers --> 


<!--<reactor>kqueue</reactor>--> 


<=> Use poll ror Nigh-load Unax servers ==> 


<reactor>poll</reactor> 


</pyaimt> 
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Dependencies 
The first, and probably _ biggest 
dependency is python itself. | am 


assuming you have already gotten python 
built and installed. pyaim-t and pymsnt 
require the python Twisted framework, 
at least 2.5 or later The twisted -core, 


-~zopeinterface, -web, GNd -words Sub- 
modules of Twisted are required. All are 
part of the Twisted-2.5.0 archive. The 
python OpenSSL (pyopenss!) module 
is also required. If you want to support 
avatars, the Python Imaging module is 
also required. Yahoo transport requires 


xmpppy, Anspython, and python expat, 
which is sometimes optional portion of 
the python distribution. 

Build and install all the modules 
using the standard python mechanism 
of changing in the package directory, 
and executing: 


Listing 4. Working pymsn-t configuration file from jabber.cirr.com 


<DPylsne> 


<l-= This Hie Contains Options to be coniigured by the 
server 

= @OMin seracor, -=—-> 

<!-- Please read through all the options in this file 
--> 

<a J=— The JabberiD of the transport, ——> 


—j1d-isn. |jaober., cirm. com</ ja> 

<!-- The public IP or DNS name of the machine the 
transport is 

= a EG IoNiag! Op MONE meats 


<—host-msn.jebber cir, scom</ host 


<== he 1eCakion “OL Ene SPOOL direclOorye. 45 
relative, relative 

= £O the PyYMSNL diz, Do noc anclude the jJid of Lhe 
Ete SOO tie Raa 


<spooldir>/var/spool/jabberd/</spooldir> 


<!-- The location of the PID file, relative to the 
BYMONE Gereceory =—> 
<pid>/var/run/jabberd/pymsnt.pid</pid> 

</-— If set, the transport will background ivselif 
when run --> 


~background/-— 


<!-- The IP address of the main Jabber server to 
COnneC rie = 
<mainServer>jabber.cirr.com</mainServer> 
<!/—=— The FCP pore Go Connect to Lhe Jabber server on 
(elo Shee 
- the default for Jabberd2) --> 
<pOnt 534 1<7/ Pporr 
<!-- The authentication token to use when 
connecting to the 
- Jabber server --> 


<SECTEL > +t AX KAKA AAA RK KK PSeCGreL> 


<!-- The default language to use --> 
<lang>en</lang> 
<!-- The website of the Jabber service --> 


<website>http://jabber.cirr.com</website> 


“Ha piNorticanrone/ = 
<l=—) Send Greeting on. login ==> 
<sessionGreeting> 

You have just started a session with PyMSNt 
</sessionGreeting> 


<!-- Send message on successful registration --> 


<registerMessage> 
You have successfully registered with PyMSNt 
</registerMessage> 


<!-- Allow users to register with Chis transport 


<allowRegister/> 
(== "Ge vil avatars Li wns 1s Sen £O  Erue cen 
avatars «are 
= Qrabbed for all your contacts ammediarely. 16 
false then avatars 
—- are only grabbed when you're in a chat with a 


CoOMmcacic =-> 


<getAllAvatars/> 
<J/=— Pile ~ransier SeLrtings ==> 
</-- The maximum size of a file transfer (in 


bytes): For 


— Uunlimi ced, Gommenk: oul, OF See tC 0 ——> 


<fisizelimiees24288</fesizelimit> 
<!-- The maximum rate for file transfer (in bytes). 
For unlimited, 
—- comment out, or set to 0 --> 


“terRatelwnie> O48. /trRarelamit > 


<!-- You can choose which users you wish to have 
as aOmini St ranors.: 
-— These users can perform some tasks with Ad-Hoc 
commands that 
= OLNErS “Cannog ==> 
<admins> 


<jid>eric@jabber.cirr.com</jid> 


</admins> 
6 TING op See 6 ne reh = 
<!-- The logging level 


Or = No hoggang 

il -=-> Log tracebacks 

2 => Log tracebacks, warnings and errors 

3 => Log evéerylehiazng -——> 
<debugLevel>2</debugLevel> 


<!-- The file to log to. Leave this disabled for 


SiECoObnE ==> 


<!-- Comment out the following options to disable <debugFile>/var/log/jabberd/pymsnt.debug</ 
them, or debugFile> 
—- uncomment them to enable them --> 
<!-- Send email notification messages to users --> </pymsnt> 
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Listing 5. Working yahoo-transport configuration file from jabber.cirr.com 


<Psaill wacSsionm="il.0” 2S 


<pyy ime 
<!-- This file contains options to be configured by the server 
ODI oie mene On p= 
<!-- Please read through all the options in this file --> 
<l-— The Jabberip of (Lhe Eransport: =—> 


<j1d>vyahoo. jabber .cirr,com</ j1d> 


<!-- The JabberID of the conference room handier. --> 


<cont ji d>ehak. yahoo. jabben .cimn com=</Cont ji10> 


<!-- The location of the spool file... if relative, relative to the 
ahs PAVE eo lier ges 
<!-—> Include che gid Of Lhe transpore, 2h running muleiple Copies Of 


the same transport --> 


<spoolFile>/var/spool/jabberd/yahoo</spoolFile> 


<l== The location of the £ID fle, relative co the PyVIMe dizectory ——> 
<—l-— (Commena CUE Gr wou Co noe went a fl mle. ——- 


<pid>/var/run/jabberd/yahoo-transport.pid</pid> 


</l—— The IP address or DNS name of Ehe main Jabber server —=—> 


“Maincenver> 27-020 l<,mainocrve t- 


<!-- The JID of the main Jabber server --> 


<mainServerJID>jabber.cirr.com</mainServerJID> 


<!-- The TCP port to connect to the Jabber server on 
(this 2s the dereault for JabberdZ) —-—> 
<potl> 5347 </pork> 


<!-- The authentication token to use when connecting to the 
Jabber server --> 


KSECLEL HE KK KKAKKKKKKKKKC /SeCret> 


<l== Allow uUSerS LO Legiseer wich Chis EranspoLre’ ——— 
<allowRegister/> 
<Il-- Allow USehS £O use the Yahoo! ‘chat rooms Wilh ents Eranspore ———> 


<—cnoaplecharrooms, = 


</-— You (Can Choose Whiten Users Vol Wish LO Neve as AGgmInIseracors. 
These users can perform some tasks with Ad-Hoc commands that 
Obners cannot ==> 
<admins> 
<jid>eric@jabber.cirr.com</jid> 


</adamins> 


<l=— The tile to Log co. Leave Chis disabled £or scdout only ——— 
<debugFile>/var/log/jabberd/yahoo-transport.log</debugFile> 


</ oy yumi 


qsqA|juobeuq a 
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python setup.py build 
sudo python setup.py install 


Build the transports 

Once all the prerequisites are built, now 
its time to move on to building/installing 
the transports themselves. 

All of the transports are meant to be 
executed out of the extraction directory, 
so choose well. (The packages in pkgsrc- 
wip have been modified to install into a 
common tree, and execute there.) Thus, 
there is not a lot to do for building. 


Configuring 
All the transports use XML files for 
configuration, and use many of the same 
tags. We will start our configurations 
with pyaim-t. Change into the directory 
pyaim-t-O0.8a and start by copying 
config example. xml tO config. xml. Now 
fire up your favorite editor ON config. xml. 
The most interesting fields to be 
checked and modified are: <jida> the id/ 
name Of the transport. Usually something 
like dimjabber<domain name> If you want 
off site users to be able to use your AIM 
transport, this name needs to exist in 
DNS. 


<mainServer> — the IP address of the 
jabber server 

<mainServerJID> — the DNS listed 
hostname of the jabber server 
<secret> — The shared _ secret 
between pyaimt and the 

jabber server (router component.) 


Changing those elements will get you 
up and running. Reviewing the rest 
of the elements may be _ interesting, 
but not essential. Configuring pymsnt 
is essentially identical. The example 
configuration file is called 
example. xml. Copy it tO config.xm1, and 
edit the <jid>, <mainServer> and <secret> 
elements to suit. Again, if you want the 
transport to be usable by people on other 
jabber servers, make sure the name 
specified in <j ia> is listed in DNS. 

The last transport to configure 
is yahoo-transport. For the yahoo- 
transport, the example configuration file 
is config example.xml, and is expected to 
be config.xm1 in the application start up 
directory. 

Again, the interesting elements are 
<jJLd>, 


and <secret>. Setting <confjid>, along 


Goniig= 


<mainServer>, <mainServerJID>, 


with <enableChatrooms/> Will set up the 
gateway into the Yahoo conference 
rooms. Once again, the name given 
in <jia> (and <contjia> if you want 
conference rooms) must be resolvable in 
DNS if you want off site jabber servers to 
be able to use it. 


Starting the transports 

Ok, we’ve got them built, and we've got 
them configured, hopefully. Now it is 
time to start the servers. Each of them 
was designed to run out of their source 
directories. 

First up, make sure the user you've 
chosen to run the servers has write 
permissions in the program directories. 
All of the transports store their spool 
files and directories as sub-directories 
of the current directory (unless modified 
by the configuration file). 

So, as the user you are going to run 
the transports as, iteratively change into 
each directory, and start the transport. 
For pyaim-t and pymsnt, it is PyAIMtpy 
and PyMSNt.py respectively. For yahoo- 
transport, it is yahoo.py. 

PyAIMt.py Will go into the background 
(become a daemon) if you specify the -» 
Or --background' flags. 


./PyAIMt.py -b 


Will fire up the AIM transport. Check 
your log files for errors if the background 
program ends unexpectedly. pymsnt.py 
acts the same dS pyarmt.py. Change into 
it is directory, and start it with the -» flag to 
make it act like a daemon. pymsnt also 
supports an XML element of <background/ 
> to have the transport start as a daemon. 

yahoo-transport is a bit different, in 
that it has to be explicitly be put in the 
background, as follows: 


./yahoo.py & 


Using the transports 

To make use of your newly installed 
transports, browse your local server from 
your jabber client. 

In Psi, right click on your account 
name, and select Service Discovery from 
the pop-up menu. Your newly installed 
transports should show up as children 
of the server. 

To register, select the registration 
function in the appropriate fashion (in Psi, 
double clicking will do it) and then fill in 
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the registration dialog. You will need to 
fill in your legacy network username and 
password. 

Once you have registered, all of your 
contacts on the legacy system should 
start showing up in your jabber roster. 
Warning, you may be asked to Add/Auth 
a lot of users, the entire contents of your 
legacy system roster Do not worry, your 
contacts on the legacy system wont 
see anything. And you will only have the 
annoyance once. 

Congratulations, you have successfully 
built the transports, and used them to 
connect to the legacy systems. Now you 
can do all your instant messaging through 
your jabber server and your jabber client. 
And your frends on the legacy systems 
wont know the difference | have been 
doing just that for over 3 years. 

Now, it’s up to you to start enouraging 
them to migrate to an open-standards 
messaging system, XMPP/Jabber. 

In the coming issues, we'll talk about 
setting up conference room services, 
file transfer proxies, and an overview of 
several popular Jabber capable clients. 
If you have any ideas for future articles, 
please send them to jabber@cirrcom. 
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Kernel File System 


Development in Userspace 


Antti Kantee 


As a programming and testing environment, the kernel is immensely more challenging 
than userspace. Therefore, kernel code is typically tested and developed in the 
comfort of userspace before undertaking the trial by fire in the kernel. 


reviously, specially written glue code was required to 

make it possible to run the kernel code in userspace, 

but now the NetBSD Runnable Userspace Meta 

Program (rump) framework enables to run unmodified 
kernel file system code out-of-the-box in userspace and 
with seamless integration. It can be thought of as being a 
generalized superset of the functionality provided by Sun’s ZFS 
libzpool userspace testing library. 

After the developed code is dropped into the kernel, bugs 
are usually found in specific use cases and the code must 
be debugged in the kernel environment. Anyone who has ever 
done kernel debugging knows that it is far from the most trivial 
and enjoyable task in the world. As the debugging session 
more often than not leads to a kernel panic, two different 
environments are a common approach: one for running the 
kernel being debugged and another one for controlling the 


previous. There are multiple classic ways of accomplishing. - 


this: two physical machines, an emulator, or a userspace 
operating system. 

The three ways listed above are fundamentally the same 
thing. Creating an alternate environment and using that 
for debugging. There are two common problems with this 
approach. 


Not enough isolation. The implementation 
development still runs in the same kernel environment as 
the system that hosts it. For example, error path testing is 
difficult by introducing errors to common routines such as 
the buffer cache and disk drivers, since extra care must 
be taken to make portions of the kernel that are not under 
development (e.g. the root file system) not suffer from fault 
injection. 

Too much isolation. Repeating a bug often depends 
on a specific machine and application configuration. 


under - 


For instance, it might require a big application such as 
OpenOffice or Firefox, or downloading and saving a file 
from some specific fto site. This environment needs to 
be recreated in the test setup before the problem can be 
repeated. 


This article is a tutorial for file system development using the 
Runnable Userspace Meta Program (rump) facility found in 
NetBSD. In addition to explaining the necessary steps in a 
practical hands-on manner, a brief introduction of the involved 
technology is given. 


Technology overview 
There are two different technologies involved in running kernel 
file systems in userspace. 


Pass-to-Userspace Framework File System or puffs. puffs 
is the NetBSD mechanism for implementing file systems 
in userspace. The idea is similar to the Linux FUSE, but 
the interface is different and mimics the BSD file systems 
kernel interface enabling a more natural implementation in 
the kemel. puffs receives requests in the kernel, transports 
them to the userspace file server, waits for a result and 
passes it back to the caller. 

Runnable Userspace Meta Programs or rump. File 
systems implemented in the kernel are free to call any 
kernel routines. The rump shim layer makes sure these 
routines are available in userspace. For the most part, the 
routines are directly compiled from kernel source modules. 
Examples of these types of routines are the buffer cache 
routines and virtual file system subroutines. Some parts, 
however, must be reimplemented for userspace. Examples 
in the later category are the disk device driver and virtual 
memory subsystem code. 
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There are two basic choices for running 
kernel file system code in userspace. 
These are both presented in see Figure 
1, in addition to a regular in-kernel file 
system architecture being given for 
comparison. 


The case with a mounted file system 
shows what the configuration looks 
like when running a_ kernel file 
system in userspace with complete 
application transparency. The 
requests are passed from the kernel 
to userspace and back using puffs 
and translated from the puffs protocol 
to the kernel vfs/vop interface using 
a helper library called p2x (puffs-to- 
kernel). 

The standalone case_ invokes file 
system operations directly. This avoids 
kernel involvement, but requires 
specially written applications against 
a library called ukfs (userkernel 
fille system). The advantage in this 
approach is that the application is 
completely disjointed from the the host 
kernel features, the only exceptions 
being a handful of common system 
calls such dS read()/write(). This 
means that NetBSD kemel file 
system code can be run on virtually 
any platform. The ukfs interface is 
discussed at lenth later in this article. 


File locations 
All rump source code is located in the 
NetBSD-current source tree under src/ 
sys/rump. It will be present in NetBSD 
5.0 when it is released. This document 
is written against the status present in 
NetBSD-current at the end of May 2008. 
The shim library is under src/sys/rump/ 
librump. The kemel file systems are build 
as libraries under src/sys/rump/fs/1lib 
while the file server binaries themselves 
are located in src/sys/rump/fs/bin. For 
example the efs file system’s kemel portion 
is built intO src/sys/rump/fs/lib/efs and 
the file server binary is found from sxrc/sys/ 
rump/fs/bin/efs. None of the built binaries 
are currently installed anywhere, so they 
must be run directly from the source tree. 


Adding a new mountable 
file system: a walkthough 
To add a new file server to the rump 
build, the kernel portion of the file server 
must first be built as a regular userspace 
library. The only difference from a normal 
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program library is that the compilation 
flags used for building this library are that 
of the kernel. Most of the necessary steps 
are already automatically handled by the 
build framework. The user should fill in the 
library name, source file path, and source 
modules to be compiled. An example of 
this for the efs file system is presented in 
see Listing 1. 

A directory called libyourfs should 
be created under src/sys/rump/fs/lib 
with the only content being the Makefile 
described above. 

Additionally it might be necessary to 
specify file system specific compilation 
flags for the library. This may be done 
as with any other library. The following 
example is from libffs: 


CPPFLAGS+= —-DPEPS NO SNAPSHOT - 
DFFS EI 

CFLAGS+= -Wno-pointer-sign 
Next, the file server executable for 


mounting the file system is required. 


Regular Mounted rump File System 
File System Using puffs 
‘kernel fs: 
ve 3 


syscall entry 


ee ee er 


kernel 


The server daemon = implementation 
is effectively just a matter of filling out 
the file system argument structure 
and calling p2x library run routine. The 
file system arguments depend on the 
file system in question, but for our efs 
example it is simply a matter of filling 
out the location of the file system image 
to be mounted. As the server daemon 
assumes this path is passed as the first 
parameter to the program, the following 
does the trick: 


Struct efs args args; 
memset (&args, 0, sizeof (args)); 


args.fspec = argv[0]; 


Calling the p2x library run routine mounts 
the file system and jumps to a main loop, 
which takes care of processing requests. 
The routine’s signature iS p2k run fs 
(gs type, devpath, mountpath, mountilags, 
fs args, fs args size, puffs flags). As 
our example, efs is used once again: see 
Listing 2. 


Standalone rump File System 
Using ukfs 


‘libpufts | [ app |< libukfs | 
, libp2k | ‘kernel fs! 
‘kernel fs ! 


Figure 1. Kernel file system 


Listing 1. Kernel fs library Makefile 


# — 

# 

-include <bsd.own.mk> 

LIB= efs 

.PATH: S{NETBSDSRCDIR}/sys/fs/efs 
Slee S= 


~iineluice <loscl. Lilo sim 


,limelmce <losel, Ikiliiaks . ilk 


Listing 2. p2k_run_fs() in efs 


args, Silzeon (args), pilags)); 
dee (ie) 


ene (ly  momunir 5 


SNetBSD: Makefile,v 1.2 2007/08/07 10:16:57 pooka Exp §$ 


Sree enes Co Crs ines. C Crs, SURE TOcechs Visops.c ers VNepsac 


Ey >] O2k run ts(MOUNT Bis, arov 10), earovil|, mmeilags | MNi RPONLY, 
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The mnitflags and pflags variables 
have been parsed earlier from command 
line arguments. As the kermel efs 
implementation is currently read-only, the 
readonly flag is forced. The p2k run fs() 
routine returns only after a fatal error 
or when the file system is unmounted. 
Unmounting can be done the normal way 
using umount(8), or the violent way by 
killing the file server. To build the file system 
daemon, a similar Makefile as building 
the kernel portion library is required. 
Most of the work is once again handled 
by existing build infrastructure magic. 
The daemon code should be located in 
src/sys/rump/fs/bin In a directory called 
yourfs. The Makefile looks a lot like a 
standard program BSD Makefile, with the 
exception that the kernel file system library 
gets linked in. The pathmagic for this is 
handled automatically by the rump build 
framework. See Listing 3 for an example. 

Finally, the build system must be told 
that your file system exists. This is done by 
adding yourfs to the RUMPFSLIST variable 
in Makefile.rumpfs in the directory src/ 
sys/rump/fs. Currently the relevant line 
looks like this: 


RUMPFSLIST= cd9660fs efs ext2fs ffs 
hfs lfs msdosfs ntfs syspuffs tmpfs 


udft 


After this, rebuild everything by typing 
make in the rump main directory. If all 


Listing 3. File system server Makefile 


DPADD+= S{RUMPFSDP EPS} 


,include <bsd. prog .mk> 
Listing 4. rump file system in mount lists 
golem> mount | grep efs 


nodev, mounted by pooka) 


golem> df /puffs 


# SNeECBSD: Mekelile,v 1.1 2007708705 22:26:02 pooka Exp $ 
# 

PROG= efs 

LDADD+= S{RUMPFSLD EFS} 


/home/pooka/img/efs.img on /puffs type puffs|p2k|efs 


the above steps were done properly 
and rump supports all the functionality 
your file system uses, there will be an 
executable called yourfs in the object 
directory of src/sys/rump/fs/bin/ yourts:. 
This executable can be run to mount the 
file system: 


./efs ~/img/efs.img /puffs 


As inferred by the previous example, an 
additional advantage of using rump is that 
there is no need to vnconfig file system 
images: they can be directly mounted 
as files. In case of accessing a device 
directly, it is recommended that the raw 
device is used, 6g. /dev/rwdie. IN case 
the block device node (e.g. /dev/wdle) is 
used, all access goes through the buffer 
cache. Since the buffer cache is fairly 
small in size, this can negatively effect 
the performance of all other file systems 
on the system in case heavy file I/O is 
performed. The buffer cache is used by 
file systems only for metadata while file 
contents are stored in the page cache. 
Therefore the buffer cache is of limited 
size. Block device node access goes 
entirely through the buffer cache, therefore 
caching also file contents in the buffer 
cache. For large files, this can quickly flush 
everything else from the buffer cache. 

After mounting it is possible to use the 
file system just like a regular kernel file 
system: see Listing 4. 


(read-only, nosuid, 


Filesystem liK-bilocks Used Avail SCap Mounted on 
/nome/pooka/img/efs.img e214 9161 TUSS5556.0/ Puls 
golem> ls /puffs 
WorkSpace debug etc lost? round umaisx: 
leak dev floppy stand ws 
cdrom dumpster iiss) tmp bse 
golem> 
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The only difference to an in-kernel 
file system is that the file system image 
is being accessed in the comformt and 
safety of userspace. 


Debugging Mounted 

File Systems in Userspace 

All of the regular userspace debugging 
tricks apply to rump file systems. It is 
possible to single step, send signals, 
dump core, attach a debugger, ktrace, 
profile, stop and continue, add printfs, and 
do iterative development very quickly. 


Dealing with "kernel" panics 

A kernel panic in a rump file system is 
merely a core dump. It can be loaded 
into gdb like from any other userspace 
program and the stack backtrace and 
other state at the point of panic can be 
examined. The example below shows 
what happened when trying to mount a 
Slightly corrupted FAT file system image: 


golem> ./msdosfs ~/img/msdosfs.img 
/mnt 

panic: buf mem pool index 23 

Abort (core dumped) 


golem> 


After examining the core dump it became 
clear which field caused the error. A check 
for a bad value added to the mount 
routine and now mounting of the image 
is politely refused instead of causing a 
kernel panic. 


Single stepping 

Single stepping rump file systems while 
being executed is easy, since pausing 
the file system does not pause the entire 
kernel. Only applications accessing the 
file system will be frozen for the duration 
of the debugging operation. For example, 
if one would like to trace/debug the 
execution of the ufs lookup routine, one 
could do the following: see Listing 5. 

In addition to the small teaser 
presented above, the regular gdb tricks 
of course apply. A useful thing to note 
from the stack backtrace is that vnode 
Operations go through rump vor op() 
instead of vop_op() as in the kernel. The 
former can be used to place a breakpoint 
for a certain operation regardless of the 
type of file system being debugged. 

There is one catch. Since NetBSD 
currently has problems debugging 
threaded programs, as a workaround for 


attaching a debugger you must compile 
rump so that it does not use threads. 
This can be done by making sure the 
following is set iN src/sys/rump/librump/ 
Makefile.inc: 
CPPFLAGS+= -DRUMP WITHOUT THREADS 

This disables thread support completely. 
This means that file systems which create 
threads can no longer be run. It also 
means that system threads such as the 
vnode release thread will not be started. 
For development operations besides live 
program debugging, it is recommended 
that rump is compiled with this option 
commented out to better emulate a proper 
kernel environment. Notably, there is no 
problem in NetBSD with debugging core 
dumps created by threaded programs. 


Creating code dumps 
Sometimes it is useful to add clauses to 
the code to force a code dump if some 


Listing 5. using gdb on ffs 
golem> gdb ffs 


GNU gdb 6.5 
ae 
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complex set of rules it met. This can be 
done simply with if (conditional) panic(hit 
condition);. Taking a core dump of an 
already running file server is sometimes 
required. The standard methods of using 
gcore(1) to generate a live core or Kill 
-ABRT for terminating the program and 
creating a core have often been found 
useful. 


Direct access 

to file system code 

The examples discussed so far mount 
the file system as part of the host 
system. If we recall, this means that 
accessing them requires control to 
flow through the kernel by making 
system calls. Accessing file system 
routines directly is done directly from 
ukfs without passing through the kernel. 
It can be used for developing utilities 
such as mtools and NetBSD makefs(8) 
by directly employing the kernel fs code 
and not requiring a separate userspace 


Thats GDE was conmigured es “1386--nmetesdeli ™. 2). 


(gdb) break urs Hookup 


Breakpoimit ieen Oxs0o%7bc; tile /isr/allsre) sic/sys/ Urs, Uis/its © 


lookup.c, lane 115. 
(gdb) 
Srareiig rectal: 


/ouLis 


rum =O FO ~/img/f&rs. img /purts 
/ObiS/eb7/Sys/ euMp/ ic, bin/ kis, fie —-O LO -/img/ fire. mG 


rump warning: threads not enabled, not starting vrele thread 


rump warning: threads not enabled, not starting namecache g/c thread 


[meanwhile, cause a lookup to happen from another window] 


Breakpoint 1, urs lookup 


(v=Oxbfbfdla0) 


alee Wet, allsire/ secy sys/ Urs Ura/ Ute slookup,c., 115 


eS SBELUCE Vopelockip args 7% 4 
(gdb) n 

120 SEEUGCE vhode’ ~va05= ap >a dip, 
(gdb) bt 


70 Uts lookup (7-Uxbtbndlad)\iVab (st, allere/ sre7sys/Wte/ Urs, Urs | 


lookup.@. 13 
#1 Ox0807ac38 in RUMP _VOP_ LOOKUP 
cnp=0x80b2a20) 
#2 Ox08060725 im pZk mode lookup 
pni=Oxbfbfd290, 
#3 Ox0s076dte am dispatch 
fetes | 


(pcc=0x80aea20) 


(dvp=0x8148d00, vpp=Oxbfbfdlec, 
aby EUMpvnOde it ec. SZ 

(pu=0x80b7200, opc=0x8148d00, 
pon=UxbEDTdZ 7c) 


aes pelene ssc 7 
ae Cusparecher.c.s 2a 
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implemention. In addition, it allows the 
writing fine-grained test programs and 
the stress-test of file system code much 
more efficiently. Test functionality similar 
to Sun’s ZFS ztest utility could also be 
written using ukfs, with the exception 
that it does not need to be limited to just 
one file system. 

The main documentation for the ukfs 
library is currently available only in the 
form of a header in src/sys/rump/fs/ 
lib/libukfs/ukfs.h. However, most of 
the routines resemble system calls, so 
it is easy to figure out what each ukfs 
call does. Calls typically take the file 
system context structure (struct ukfs *), a 
pathname, and whatever arguments are 
necessary. For instance: 


ukis rmdir(ukis, dirpath) 
removes the directory dirpath, while: 


ukfs read(ukfs, filename, off, buf, 


bufsize) 


will read at most bufsize bytes into buf 
from the file filename from offset off. 

To use the ukfs library, two initialization 
routines must be called. ukfs init () 
initializes the global process _ state 
required for using ukfs and rump. After 
this, the desired file system must be 
mounted —_ using 
devpath, mountpath, mountflags, 
fs args size). The parameters are the 
same ads for p2k run £fs() described 
earlier The mount routine returns the 
context structure to be passed to interface 
routines. 

All pathnames given to the library 
can be relative or absolute. The current 
directory can be changed by calling 
the ukfs chdir() routine. The current 
directory is per thread, so in case the 
process using ukfs has multiple threads, 
each thread is initialized with the current 
directory as the root directory and must 
be explicitly changed if desired. 


ukfs mount(fs_ type, 


LS args, 


Further information 

Documentation, technical papers and 
examples of use for puffs and rump can 
be found from the NetBSD website: 


http://www.NetBSD.org/docs/puffs/ 
http://www.NetBSD.org/docs/puffs/ 
rump.html 
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securing IM 


using Jabber/XMPP and TLS 


Eric Schnoebelen, 
Michele Cranmer 


XMPP/Jabber offers a number of features that make it different from the commercial, 
closed messaging systems. This month, we'll talk how to secure client to server and 


server to server communications. 


re your private communications vi instant messaging 
really as private as you think they are? This month, we 
will talk how to secure client to server and server to 
server communications. 

Have you ever been chatting with a friend or family member 
on one of the big instant messaging services, and wondered 
who else might be seeing your conversation? Well, the truth 
is..it Could be anyone! The major IM services seem to lack 
the mechanism for securing the communications between the 
client and server. 

Would not you rather use a service that you operate and 
know is secure? One where you do not have to worry about if 
the things you say to your Mother about your ex, will be read 
by someone who knows them? That is what Jabber can give 
you! The security in knowing that what you chat about will be 
between you and the person/people you are chatting with. 

In the last issue we showed you how to set up a Jabber/ 
XMPP server, using the open source jabberd2 server. This 
time we will talk about how to secure communications 
through that system. One of the features Jabber/XMPP offers 
that makes it different from the proprietary, commercial 
IM services is the ability to secure client to server and 
server to server communications. Secure server to server 
communications is an important feature of XMPP. and 
the XMPP Foundation has a goal of having most of the 
interconnecting (federating) jabber servers using secure 
channels by Jabbers 10th anniversary, 4 Jan 2009 (see 
https://stpeterim/?p=2136). 


Securing communications 

First up, we are going to discuss securing communications 
between your Jabber/XMPP server and a client. We are 
going to use the jabberd2 server we built/installed last 
time. (although, since then versions up to 2.1.24.1 have been 


released, and 2.2.0 was released during the writing of this 
article.) 

You can use either a self-signed certificate for securing your 
jabber server, or you can use ad commercial certificate. The XMPP 
Foundation (htto:/wwwxmpp.net) has set up an agreement 
with Startcom to provide every Jabber server operator with a 
certificate signed by a known signing authority. 

We will go through the common steps for generating both a 
commercially signed certificate and a self-signed certificate, as 
they are common for most of the tasks. 


Creating the certificate signing request 

Some of the signing authorities, such as the one offered by 
xmpp.net, offer a web form to create the certificate signing 
request. 

Other signing authorities will require you to create your 
own certificate signing request. If you are creating a self- 
signed certificate, you will need to create a signing request as 
well. XMPP certificates require a bit of additional information 
not required for the more common HITP/SSL certificate 
signing request. 

Listing 1 shows the changes/additions needed to your 
OpenSSL configuration file (/etc/openssl/openssl.cnf on 
NetBSD) to get the extra OID’s needed for XMPP’s use. (this 
listing can be found at http://wikijabberorg/index.ohp/XMPP_ 
Server_Certificates). 

Listing 2 shows the OpenSSL configuration file | used to 
generate signing certificates and self-signed certificates for 
jabber.cirmcom (along with my test jabber server, portnoy.cirmcom) 


Creating a self-signed certificate 

Creating a self-signed certificate is fairly straight forward for 
anyone who has done it for web servers. Here is the command 
line | used: 
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openssl req -x509 -nodes -days 365 \ 
-config /etc/openssl/xmpp.cnf -newkey 
rsa:1024 \ 

-keyout portnoy.cirr.com.key -out 


pOLLNnoy.Cirr. com. pem 


Before installing on the jabber server, 
make sure to concatenate the .key file 
onto the .pen file. 


Getting a certificate from xmpp.net 
To receive a certificate from xmpp.net, 
you will have to register with xmpp.net 
Follow the registration directions at https: 
//www.xmpp.net/account-request 

There are two mechanisms _ for 
receiving a_ certificate from xmpp.net. 
The first is to use the web site to create 
your private key, your certificate signing 
request, and finally your certificate. 

The second is to create your own 
key and signing request, and submitting 
it to the XMPP CA for the creation of the 
request. 

The first two screens on_ both 
processes are the same. The first screen 
is selecting the request type, either letting 
the CA create the request, or providing 
your own. Select as appropriate. 

The second screen is_ providing 
contact information. A street address 
must be provided (post office boxes 
are not acceptable.) The phone number 
provided must reverse look up to the 
street address provided. 

Now the processes diverge. 


XMPP CA generated CSR 

When letting the XMPP CA generate the 
certificate signing, the third screen in the 
process will request a pass-phrase for 
use on your key. It must be between 10 
and 82 characters long, using mixed case 
alphabetic letters and the digits. 

The forth screen presents the 
private key that was generated. Copy 
it from the text box, and record it 
somewhere. Also remember to record 
the pass-phrase to this private key. 
Select continue to move to the next 
screen. 

On the fifth screen, the information 
required for your certificate signing 
request will be collected. The information 
is your country, your state/province, YOUr 
city/town/locality, YOU organization, 
and finally the hostname of the jabber 
server. The top level domain is available 
as a pull down. 


Select continue, and the sixth screen 
appears, requesting the email address 
to receive the validation request, and 
presents the certificate signing request 
generated. You should save the certificate 
signing request. 

Skip down to Validating the request for 
the rest of the process. 
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Self Generated CSR 


When generating the CSR yourself, you can 
use Listing 2 as the start of a configuration 
file to generate your certificate signing 
request. Make sure the Common Name 
is the fully qualified domain name of the 
jabber server, as presented in the DNS SRV 
record or A record. 


Listing 1. Lifted from http://wiki.jabber.org/index.php/XMPP_Server_Certificates 


old secre = mew .Oulds 


[ new _oids ] 


fw REG S920 section Sal oi 


eae) Orn dea ey ue se 


xmppAddr = 


ee crn 


detaulr bts 1024 


| 


detault keyii te = OObar key 


distinguished name = 


req extensions = V2 (exXbensvons 


x09 Texrensions = V3 exXEemsoOns 


7 don't ask about the DN 


PLONE. 16 


I Gustimquished name 4 | 


counteyName = 165 
stateOrProvinceName = England 
localityName = Cambridge 
organizationName = dotat labs 
commonName = dotat.at 


[ we cextenewonis, | 


@dennes Enis OLD 


distinguished name 


7 Or CChEPiCase FeGUeleS (reg lexcensions) 


fad Sell =siGned "cert ieaees a 07 ex bens Ons) 


basLeComeirreadmrs = CA:FALSE 
keyUsage = digitalSignature, keyEncipherment 
Sub) ecealeName = (subject val vernariive iame 


[ subjiecu elternarave name |] 


DNS .O = dotat.at 


otherName. 0 = xmppAddr;UlIbS :dotat.at 


# Append the following for a server which handles multiple domain names: 


BIN Seek = 


example.org 


otherName. 1 = xmppAddr;UTF8:example.org 
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The following openss! command line 
will generate the request: 


openssl reg -new -nodes -config /etc/ 
openssl/xmpp.cnf \ 

-newkey rsa:1024 -keyout 
portnoy.cirr.com.key \ 


=OUE. pPOrtNnoy.Cirr.Ccom.cSsr 
Listing 2. Openssl_conf 
Keene staat | 
Old seceron = Kew oilds 
[ w@ewrords: | 


PREC S920 (SeCeLon 5.) a1 


xmppAddr 


[seeg %] 


# subjectAltName 


DOMENCWy Cir .com, \ 


dipNames2  cdiseingquishied name 


Listing 3. jabber.cirr.com 


<1d realm=" jabber curr. com' 


password-change='true' 


openssl cons = Openss anise 


dernnes ehis (OLD 
ie Se Ouslns . Oe oes 


detau lt obits = 024 

detaules keyviile = privkey.pem 

disiringuashed mame = ClSsringquisied rane 

red Te xeens tons = Vo (eS pene aens 

x5 02 exEens tone = Vo obese Tens 

PLoMmpE = Me 

[ CGistingurshed meme 

countryName = US 

stateOrProvinceName — Texas 

localityName = Plano 

organizationName = Central Iowa (Model) Railroad 
commonName = jabber.cirr.com 

| v3cextensions | 

7, DEOL (CGPeIleCate reGuecsES (reg exLensi ons) 

7 and “Sel P—saoned cere icares (4507) exeensions) 

bas _cConstraints = CA:FALSE 

keyUsage = digitalSignature, keyEncipherment 


= @subj alt name 
subjectAltName=DNS.1:cirr.com, otherName.1:xmppAddr;UTF8:cirr.com, \ 
dirName.1:distinguished name, \ 
DNS.O:jabber.cirr.com, otherName.0:xmppAddr; UTF8:jabber.cirr.com, \ 
ditName.O0+distinguished name; \ 


DNS .2?portnoy.cirr.com, oOLmerName. 2: xmppAddr; ULES: 


pemfile='/etc/openssl/certs/jabber.cirr.com.pem' 


register-enable='false'>jabber.cirr.com</id> 


After the certificate signing request has 
been generated, paste it into the text 
box on the XMPP CA form, and submit it. 
The next screen will ask for the domain 
administrative email 
postmaster@, OF” webmaster) to receive 
the validation token. Patiently await it is 
delivery to the respective mailbox. 


(nostmaster®, 
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Validating the request 
At this point the two certificate generation 
paths converge. 

Once the token arrives, enter it into 
the the field on the screen, and submit 
the form. 

The final screen will appear with your 
certificate. Copy it from the web page, 
and also save the Certificate Authority 
intermediate certificates as well. Once 
you have got all the certificates, chaining 
certificates and keys, your key needs to 
have the pass-phrase removed (unless you 
want to enter your pass-phrase every time 
one of the component start). To remove your 
pass-phrase, use an openssl command 
line similar to the following; (replace the key 
file names with your key file names): 


openssl rsa -in jabber.cirr.com.key \ 


-out jabber.cirr.com.key-no-passprhase 


The certificate, chaining certificates, and 
your key now need to be concatenated 
into one large file, with the elements in the 
following order. 


Your certificate 

The intermediate certificate authority 
chain certificates 

Your key. 


as an example: 


Cat. Jabber, cirr, com. crt 
sub.classl.xmpp.ca \ 
jabber.cirr.com.key-no-passphrase > 


jabber.cirr.com.pem 


Congratulations, at this point you have 
successfully generated a certificate file for 
securing your XMPP communications. 


Configuring 
jabberd2 to use the certificate 
Configuring jabbed2 is pretty easy to 
configure to use the certificates. 

Two configuration files need to be 
modified, and two components need to 
be restarted. 


Configuring client-server encryption 

The first of the configuration files to be 
modified is the c2s.xmi configuration 
fille (found in 
c2s.xml ON pkgsrc/NetBSD/DragonFlyBSD, 
/usr/local/etc/jabberd ON OpenBSD/ 
FreeBSD). The stanza to be modified is 
<local><id></id></local>. You want to 


/usr/pkg/etc/jabberd/ 


XMPP 


filename>' tO 


add d pemfile='<pemfile 
the <ia> tag. In the standard c2s.xml 
file, there is a commented out stanza 
showing the correct syntax. Listing 3 
shows the (stripped down) stanza in use 
ON jabber.cirr.com. 

Once you've restarted the 
c2s component, client to server 
communications can now be encrypted, 
assuming the client supports TLS 
authentication/encryption with the server. 

Fire up your favorite TLS capable 
Jabber client (Psi is one such client) and 
look for the secured icon. Note, using a 
self-signed certificate may cause the 
client to produce a dialog about an invalid 
certificate authority (CA) 


Configuring server to server (s2s) 
encryption is as easy as_ configuring 
client to server (c2s) encryption. The 
stanza needing attention in the s2s.xmi 
IS <local><pemfile></pemfile></local>. 
Uncomment that clause, and update the 
file path as appropriate. To verify that TLS 


> 


encryption is working, verify that the s2s 
component started with no errors about 
the certificate. Then, attempt to get the 
presence information about someone 
on a TLS secured XMPP server, such as 
jabberorg or jabbercirrcom. Look in your 
s2s log file, and search for a message 
similar to the following: 


[7] 


incoming route \ 


[20268 .1Go0220, pDorc=s4127)] 


'pOrtnoy.cilrr.com/jabber.org’ is now 


valid, TLS negotiated 


Congratulations, you have successfully 
secured communications between your 
XMPP client and your XMPP server, and 
between your XMPP server and other 
(suitably configured) XMPP_ servers 
(such as jabberorg, jabbercirrcom, or 
others.) 

That wraps up securing/encrypting 
communications between your XMPP 
client and your server, and between your 
server and others! That was relatively 
easy, was not it. 


www.bsdmag.org 


Visit our 
website 


You will find here: 


materials for articles- 
listings, additional 
documentation, tools 


a= the most interesting 
articles to download 


mi current information 
on the upcoming 
issue 


4é in business 


OpenBSD 


58 


and making money 


Girish Venkatachalam 


Open Source is often alleged as being apathetic towards business and money. 
Corporations often accuse open source for being unable to bring in the profits that run a 
business. Nowadays everone knows that open source Is serious and cannot be ignored. 


am going to demonstrate in this article that open source - 


can not only mean seriuos business but also make you 


rich. No kidding. There are many entrepreneurs among - 


OpenBSD developers and they use OpenBSD which has 


the most liberal licensing that any OS has and still interestingly - 


they make a living out of it. | am going to show you how | use 
OpenBSD to make a living in Chennai, India. 

We are going to be talking three different topics but related 
to one another in a subtle way. 


Spam control 

Spam control is big business in organizations. Employees 
having to deal with unsolicited commercial/bulk mail is 
something that not only reduces productivity but also eats into 
the company's bottomline. 

Another thing that eats into the company’s bottomline is 
the lack of productivity and disturbance caused by Microsoft 
Windows due to its various vulnerabilities, viruses, worms , trap 
doors and other malwares not to mention crashes of course. We 
will get to that in a minute. 

First Soam control. 


Spam control with OpenBSD greylisting 
Spam control has to invariably fall under one of the following 
categories. 


Bayesian filtering and contextual analysis 

Heuristical filtering based on known keywords/bad words 
CRM114 Markovian chain based filtering (related to a) 

Vipuls razor approach of DCC (Distributed checksum 
computation) with manual interference — gmail uses this 
heavily 

Greylisting to stop spam right at the MTA level 

IP address blacklisting and e-mail address whitelisting 


TMDA —- cure worse than the disease (Only approved 
senders can send mail) 

RBL lists , spamhaus (politically sensitive spam control 
techniques) 

Sender Policy Framework(SPF) (not a bad idea per se) but 
does not work well 


This is more or less it. 

And most of these techniques are based on content 
scanning/filtering and actually reading e-mails with a computer. 

Since this is an activity that requires a high end CPU and 
memory, spam control software and virus scanning software 
typically end up grinding your machines to a halt or even slow 
down your legitimate e-mails. 

Also there is the very scary possibility of losing e-mails due 
to false positives. 

OpenBSD’s spamd uses a technique called greylisting. This 
is a very smart way to combat spam since it is stopped right at 
the MIA level. Since this never reads e-mail it is also very fast 
and highly efficient. 

It is impossible to get a false positive here though the first 
mail from a domain will experience a delay. 

| have seen some problem with popular mail sites like 
yahoo and gmail but they can be easily resolved by manual 
whitelisting. 

Basically greylisting forces mail servers to be RFC 2821 
compliant and retry mails until the receiving site is ready. This 
also has an added advantage of hurting soammers sometimes 
and also stopping the spam that is meant for some other sites. 

The architecture of our solution is something like this (Listing 
1). Here is a schematic to explain how OpenBSD greylisting 
works. 

The firewall that works in the appliance redirects e-mail 
traffic depending on three parameters: 
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Sending IP address (From IP) 
Envelope sender (who sends you 
mail?) 

Envelope recipient (who is mail ad- 
dressed to?) 


If the above 3 tuple are seen for the first 
time then the mail sender is subjected to 
the torturous SPAMD filtering (running on 
port 8025 above). There is a phenomenon 
called initial stuttering that happens here. 
Instead of talking at full soeed the MTA 
accepts mail one character at a time. This 
will piss off soammers and many go away. 
But legitimate senders have just one mail 
to send. Moreover they have to be RFC 
compliant. So they survive the test. 

Once this process is completed, any 
subsequent mails from this sending IP 
address is assumed to be legitimate and 
they directly talk to the company mail 
server. 

There are several parameters that 
can be tweaked here. So we can tighten 
the screws a bit once we observe how 
this comes up in production. And you 
dont waste your storage space and 
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bandwidth receiving spam first and then 
rejecting them. Overall a very brilliant idea 
no doubt. 

To configure spamd(8) all you have 
to do is enable it in /etc/rc.conflocal by 
adding these lines. 


pf=YES 

spamd flags="" 
spamd_black=NO 

spamlogd flags="—1 Txpo” 


| am of course assuming that your 
network interface is £xpo. 

And your pf.conf should have these 
lines. 


table <spamd-white> persist 

no rdr- on LxpO prevo tcp from <spamd= 
white> to any port smtp 

rdr pass on £xpO proto tcp from any to 


any DOre. smtp —> 127.0,0.1 pork spamd 


Of course there is more to it than meets 
the eye but you get the idea. 

Anyway as a bonus this also stops 
all sorts of irritating malware like virses, 


Trojans, worms and other annoyances. 
Such mails usually propagate with 
reckless abandon and my firewall running 
in the appliance can rate limit them. 


Another need the big corporates have 
is ensuring 100% uptime for their critical 
servers. This could include web servers, 
mail servers, database servers’ or 
anything else that forms the backbone of 
a company’s business. 

OpenBsD has two very simple ways 
to solve this problem — CARP and relayd. 

CARP is a protocol that works at a 
very low level. Hence its ability to fail over 
is fantastic. Since it works at layer Il, you 
can trivially fail over any service you offer 
since all services will be offered with an 
IP address.CARP configuration is brain 
dead simple and anyone can get it 
working within minutes. 

If you have two OpenBSD boxes 
that you want to fail over in case one 
goes down then all you have to do 
is create the carpO interface on both 
machines like this. 
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## Host A (MASTER) 
# ifconfig carpO create 
+ afeontiq carpO 192.168.1.10 vhad 1 


carpdev fxp0 
and on Host B, 
## Host B (BACKUP) 

# ifconfig carpO create 


# ifconfig carpO 192.168.1.10 vhid 1 
carpdev fxp0 advskew 100 


That is all there is to it. Now trying pinging 
the virtual IP 192.168.1.10 you just created 
from a different hostThen try something 
interesting. Plug out the ethernet cable 
from Host A. You can check which one is 
master with the ifconfig command. 

You will notice that the BACKUP will 
take over within few seconds and start 
responding to ping requests. Once you 
plug the cable back in you will see that 
the MASTER and BACKUP roles will get 
interchanged automatically as per our 
Original intention. CARP is really simple to 
get working but there is more to it. You need 
to allow the IP CARP protocol as well as the 
PFSYNC protocol in case you ar interested 
in synchronizing the firewall states before 
fail over. And in most real world applications 
you have to take care that the state of the 
backup is up to date with the master or 
at least reasonably close. For instance if 
you are doing a fail over of the antisoam 
appliance then you need to ensure that the 
pf tables are in sync. And also the /var/ 
db/spamdb Gatabase. You can easily ensure 
this by running a cron job to rsync or even 
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copy it from place to another. relayd(8) is 
another interesting daemon_ introduced 
in OpenBSD recently that can do quite a 
few interesting things. We are not going to 
discuss most of its cool features here. We 
will just take a look at its potential. The gory 
details are in the man pages of OpenBSD 
as is the usual case with the OS. There is 
no OS that places as much emphasis on 
correct documentation like OpenBSD. 


What does relayd do? 

It is a service redirector It is also many 
other things but for me it means that in 
case the customer runs a web server on 
an OS other than OpenBSD, then | can fail 
over the web server using relayd. But then 
you should remember that relayd works at 
a much higher layer in the OSI stack and 
consequently you should always try to use 
CARP for fail over as much as possible. 
Relayd can act as an SSL load balancer. 
This is a very useful feature since what 
we require is a secure connection only till 
the point it reaches our intemal network. 
Beyond that we can load balance using 
unencrypted/unprotected sessions. So 
what relayd can do for us is finish the SSL 
handshake atthe entry point to our network 
so that we can serve many customers even 
when using SSL. SSL based HTTP servers 
are typically highly loaded due to the crypto 
operations and other latency. This comes 
as a boon for such businesses. 


Firewall 
In the last issue | had covered firewalling 


with OpenBSD pf. pf forms such an 
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important component of OpenBSD 
networking that any networking product 
that uses OpenBSD will invariably use 
it. pf can be used for NATing, blocking 
certain ports or redirection. It can also be 
used for load balancing. 

We talked about the various ways in 
which Windows hurts a business in the 
beginning. OpenBSD based _firewalling 
can be used to good effect using its 
ability to do passive OS fingerprinting. pf 
comes with an ability to detect the OS of 
g particular machine by inspecting its TCP 
SYN packet. So we can use this to make 
sure that Windows machines do not send 
malicious traffic. 


Conclusion 

We have very clearly seen how OpenBSD 
helps you succeed in business and make 
as much or even more money than 
companies that sell commercial software 
or hardware. The model of open source 
software based appliances have a great 
potential since most businesses are 
worried about support. If you can provide 
them support for the hardware and the 
Open source software they will be willing 
to purchase your product. The reason is 
simple for businesses. 

Open source software gives them 
unlimited freedom and there are no pesky 
limitations like number of concurrent users 
and other irritations like license renewals 
that are typically found in commercial 
software. 

In short, OpenBSD is serious business! 
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Figure 1. Spamed architecture 
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ritten by MICHAEL W. 

LUCAS Jr (the W. in the 

middle is important, the 

appended ur is even better) 
this 700 pages book is the updated opus 
of the famous FreeBSD bible from No 
Stark Press. Known for their unique books 
on technology, they give focus on Open 
Source, security, hacking, programming, 
alternative operating systems and 
Absolute FreeBSD 2nd Edition is no 
exception. 

You will learn to manage your 
FreeBSD system, from installation to 
configuration and lots more, like how to 
build your own embedded devices, how 
to encrypt disk partitions, how to use 
FreeBSD’s multiprocessor features to 
your best advantage, how to run diskless 
servers, and more! 

Absolute FreeBSD, 2nd Edition covers 
installation, networking, Security, network 
services, system performance, kernel 
tweaking, filesystems, SMP upgrading, 
crash debugging. It includes also a lot 
of tutorials and how to : Use advanced 
security features like packet filtering, 
virtual machines, host-based _ intrusion 
detection, build custom live FreeBSD CDs 
and bootable flash , manage network 
services and filesystems, use DNS and 
set up email, IMAP web, and FIP services 


bsolute 
reeBSD 
nd Edition 


review eC 


for both servers and clients, monitor 
your system with performance-testing 
and troubleshooting tools, run diskless 
systems, manage schedulers, remap 
shared libraries, optimize your system 
for your hardware and your workload, 
build custom network appliances 
with embedded FreeBSD, implement 
redundant disks, even without special 
hardware, integrate FreeBSD-specific 
SNMP into your network management 
system. 

The first edition is 7 years old, and 
was da complete guide to FreeBSD 
4.0 at that time. This second edition 
is about the last FreeBSD version 70, 
with all the tools from 4.0. Of course 
this book applies also to earlier version 
as well as for future version. Michael’s 
coverage of GEOM, NanoBSD, FreeSBIE, 
journaling, memory file systems, 
filesystems in a file makes this book a 
must have even for the readers of the 
first edition. New readers will still get the 
solid introduction they need, concepts 
are explained clearly and with a lot of 
examples in this easy-to-use book. It’s a 
great first step for those who would like 
to become committers or contributors 
in the future. 

MICHAEL W. LUCAS (ur) has been us- 
ing Unix systems for more than 20 years 
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THE COMPLETE GUIDE TO FREEBSD 


ABSOLUTE 


2ND EDITION 


MICHAEL W. LUCAS 


and FreeBSD since 1995. Developer 
himself, and as a long term contributor 
of the FreeBSD system, he provides in 
his books a clear point of view of the op- 
erating system. Written with the help and 
advice of dozens of FreeBSD developers, 
the answers are straights, the concepts 
given clearly. Famous for is cool writing 
talent, the author of the Absolute series 
makes it easy to read, very lively for a 
system administration guide. You can 
make yourself an idea with the chap. 8 
available for free in the editors webpage. 
More than a book its a manual aimed 
to the regular users who want to cleanly 
handle their desktop and the sysadmins 
who want to know how the machine 
thinks. Of course it’s all about command 
line interface and configuration files, 
those used with GUI environments and 
click-here-and-then-there tutorials — will 
discover the strength and the flexibility 
of Unix and how the FreeBSD system is 
organised. 

This book covers almost everything 
that appears in 7O except too recent 
developments like binary updates. It is 
nonetheless a bible for FreeBSD users 
and sysadmins. Now you don't have 
to google for every little command or 
single configuration detail you're looking 
for. 


61 


@ PC-BSD 


62 


PC-BSD 


in Schools 


iXsystems 


Security, Stability, and Ease of Use Make PC-BSD Deployment in Poulx School District 
a Success. School District Deployment Sets the Tone for Future PC-BSD Deployments 


Throughout France 


C-BSD provided the stable and 
secure solution we needed 
for a_ trouble-free deployment 
in the Poulx School District at 
a negligible cost say Marie Walrafen 
and Guillaume Fontaine, owners of 
Chamanik.com. 


PC-BSD is easy to install 
PC-BSD is free and open source 


PC-BSD is secure, reliable, 
and _ provides’ excellent content 
management 


PC-BSD is easy to support 

PC-BSD can handle multiple users 
on a small network 

PC-BSD is based on FreeBSD 


Schools, businesses, and government 
offices have a basic set of needs when it 
comes to deploying a desktop operating 
system. They need a solution that runs 
smoothly and efficiently, with minimal 
effort on behalf of the parties involved. The 
solution also needs to be safe, secure, 
and easy to implement and maintain. 
The Poulx School District did not 
have a need to run highly specialized 
applications. What they required was an 
Operating system that is stable, reliable, 
and free of viruses. Unfortunately, hackers 
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are continuously writing viruses for the 
Windows environment, and these viruses 
hamper the successful operation of a 
network. And while Linux protects against 
most viruses and is a low-cost open 
source alternative, it doesn’t feature the 
stability and security of FreeBSD. 

PC-BSD is a fully functional desktop 
operating system running FreeBSD 6 
under the hood. Its graphical system 


installer makes the system installation 
process’ effortless. Its — self-installing 
software packages make _ loading 


programs a snap. It is secure, reliable, and 
easy — a perfect tool for all basic needs 
and especially fit for use at a school, small 
business, or goverment office. 

In February of 2008, Marie and 
Guillaume deployed PC-BSD in the Poulx 
School District in France. 

They installed PC-BSD on a small 
network that had previously been running 
the Mandriva version of Linux. 

Marie and Guillaume were already 
familiar with PC-BSD and FreeBSD, 
having deployed it for the wireless 
network in the city hall. They knew that 
the applications needed to run on the 
systems in the school were compatible, 
and that all the applications could be run 
with existing PBI’s (push button installers) 
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available for PC-BSD. Hundreds of easily 
installed PBls are available for download 
from http://www.pbidircom, with updates 
made daily. Many are also available on 
Disc 2 of PC-BSD. They also knew that 
PC-BSD can be installed very quickly and 
is easy to use, and can handle multiple 
users on a small school network. They 
made the recommendation to deploy 
PC-BSD in the schools, and have never 
looked back. 

Marie and Guillaume downloaded 
PC-BSD Discs 1 and 2 free of charge 
from. http://www.pcbsd.org. Marie used 
the Disc 1 copy as the install disk on 
all the machines. When each machine 
had completed the install process, Marie 
removed Disc 1 from the machine and 
inserted Disc 2. It took only a few minutes 
to install PC-BSD on each computer. 

The final steps of the deployment 
process took about half an hour to 
complete. Marie configured the internet 
access for the school network and 
installed the French language files from 
the second CD. She also installed the 
PBls for critical applications needed 
by the school. Through the use of the 
PBI software Marie was quickly able to 
install Gimp, Planetarium, and various 
educational games. 


The schools requirement __ for 
preventing inappropriate site content from 
being accessed by students resulted 
in the need to set up a proxy server 
as a filter Methods and protocols were 
established so that teachers were able 
to log in and connect to the internet 
without going through the proxy server 
for unrestricted searches and research. 
The systems were also set up so that the 
teachers could boot from their individual 
computers, instead of having to boot from 
the general server. 

Marie set up an individual profile for 
each pupil on the school network, which 
would allow documents saved on the 
network to be accessed by students 
using any computer within the network. All 
software needs were accommodated by 
existing PBIs. 

All in all, the deployment process was 
highly successful. Marie just laughed 
when asked to describe a_ technical 
problem she had had during the 
deployment, as there were none. Support 
issues since the deployment have been 
minimal as well, consisting primarily of 
hardware upgrades and other issues not 
related to PC-BSD. 

The teachers are very comfortable 
using PC-BSD and appreciate its ease 
of use and trouble-free administration. 
They have forgotten all about Mandriva 
and Windows XP (which they were using 
before Mandriva). The students have 
been able to access their files with 
ease, and some of them are enjoying 
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PC-BSD so much that they have asked 
Marie and Guillaume how to install it on 
their desktop at home. They appreciate 
the possibility that there is an available 
alternative to Windows, and even to 
Linux. 

The solution deployed by Marie and 
Guillaume in the school can be easily 
replicated in an academic, government, 
or small business environment. Marie 
and Guillaume are in the process of 
setting up other deployment contracts 
within the Poulx school district, as well 
as throughout France. It is easy to sell 
the PC-BSD implementation solution to 
other entities given PC-BSD’s stability, 
reliability, and trouble-free system 
administration. Marie says that even 
though she is the technically ignorant 
half of the partnership with Guillaume, 
she was able to get up to speed on 
installing and using PC-BSD in no 
time. PC-BSD is also significantly more 
cost-effective than its closest non-open 
source competitor, which costs upwards 
of $200 per copy for the full version of 
the operating system. 

Marie and Guillaume are also taking 
their solution to the Poulx City Hall, 
which previously contracted them to 
set up the city’s wireless network. City 
Hall is currently running Windows on 8 
of the 12 available computers but has 
agreed to gradually switch the remaining 
computers over to PC-BSD. Marie and 
Guillaume are confident that the software 
used to run city halls administrative 
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functions can be made to work on 
WINE (a compatibility layer for running 
Windows programs on top of UNIX). They 
intend to eventually develop their own 
solution that does not need WINE. Once 
the switch-over is complete Poulx will 
have the unofficial title of FreeBSD City 
bestowed upon it by its Mayor. 


General Advantages of PC-BSD 
In addition to some of the items listed 
above, there are a number of reasons 
to deploy a FreeBSD-based solution 
when designing a network architecture. 
Because the underlying OS for PC-BSD 
is FreeBSD, these advantages apply to 
PC-BSD as well. 

First of all, the FreeBSD license 
is unrestrictive and userfriendly, and 
consists of only a couple of clauses. It 
does not require people to make their 
code changes public, which means 
that you can take BSD licensed code, 
change it, and sell it as closed source 
software. The same is not true for Linux, 
another popular open source OS, which 
is released under the GPL (GNU Public 
License) and requires that changes be 
contributed back to the source code. As 
a result, when Linux code is modified, 
these changes are not proprietary. 

Furthermore, FreeBSD — eliminates 
most dependency issues through the 
FreeBSD Ports System. The Ports System 
is a software management infrastructure 
for easily installing, upgrading, and 
maintaining software on the system. 

With PC-BSD the PBIs can be 


installed in addition to the over 18,000 


ports of available applications. PBI’s 


~) are not part of the centralized repository 
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system. While the PC-BSD Project hosts 
and maintains many popular programs 
format, users can download 
programs from anyone who has a PBI, 
and anyone can build PBls and host 
them. This is different from Linux, where 
software availability is mostly controlled 
by the distro manufacturer. 

Finally, FreeBSD is a_ centrally 
developed and maintained operating 
system, whereas Linux is a_ kermel 
wrapped in mostly GNU userland utilities. 
This means that with FreeBSD, a single 
project comprised of various teams is 
responsible for the kernel AND userland 
while in Linux, userland utilities and kernel 
versions are different from distribution to 
distribution. 
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interview 

with Damien 
Bergamini 
OpenBSD developer 


One of the most requested features for wireless networking should be part of OpenBSD 4.4. | am talking 
about WPA, and | had the pleasure to interview Damien Bergamini, the developer who made a huge work 


for OpenBSD wireless subsystem. 


amien worked on the drivers, 
reverse engineering and 
building some of the code 
that can now be found in 
most free OSes, even OpenSolaris! 

The work he did on the WPA 
implementation follow a different design, 
as the code runs in the kernel, and 
provide a very clear way of configuration: 
ifconfig. 

You could setup WPA-PSK in station 
mode with a simple line: 


# ifconfig ral0 wpa wpapsk \ 
Ox0e8de50e2a614dbd8 3df61db3e042b39617 
Te8cc8efJ7elf2e83el158al 9bad5ea3 


or a WPA2-PSK setup for access point 
mode with: 


# ifconfig ral0 mediaopt hostap nwid 
openbsd ap chan 5 \ 

wpa wpaprotos wpa2 wpaciphers ccmp 
wpagroupcipher ccmp wpapsk \ 
Ox0e8de50e2a614dbd83df 61db3e042b39617 
Te8cc8efJelf2e83el158al 9badea3 


Keep reading for the other cool details! 


Could you introduce yourself? 

| am French, 'm 28 years old. 'm an 
OpenBSD developer since 2004. | have 
written numerous drivers for 802.11 
wireless devices, and lately, | added 
support for WPA-PSK (Wi-Fi Protected 
Access using pre-shared keys) to our 
generic 802.11 layer. 


What type of difficulties did you have to 
overcome to implement WPA/WPA2? 

The reason it took a long time to 
implement WPA in OpenBSD is that the 
various standards that make WPA are 
fairly complicated. Its a steep learning 
curve, 

Of course we could have thrown in 
whatever existing WPA implementation 
that would have made the trick but 
this is not the way we operate in 
OpenBSD. 

OpenBSD tends to be more quality- 
driven than feature-driven. Before we 
import a large piece of code in the 
base system, we must make sure 
someone in OpenBSD can maintain 
that code and can fix it should it break. 
This means at least one developer 
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must fully master that code and be 
very comfortable with it. We prefer to 
not support a feature rather than import 
code we cannot maintain. Although 
this may be frustrated for our users 
sometimes, this is a winning strategy 
in the end. 

Before beginning my work on 
WPA, | studied various existing WPA 
implementations (mostly woa_supplicant 
hostapd and xsupplicant) but | did not like 
their design so | decided to write my own 
implementation from scratch, taking a 
very different approach. 


What differences do you see in 
OpenBSD's WPA implementation 
compared with other BSDs' ones? 

Other BSDs use wpa_supplicant for client 
mode and hostapd for AP mode. 

The reason | chose to not go that 
road is that woa_ supplicant and hostapd 
are rather huge (in terms of lines of code) 
and that they try to implement too many 
things at the same time (802.1x, 802.114, 
EAPs). 

| particularly did not like the way 
those tools were reimplementing parts 


of the 802.11 management entity 
(MLME) in userspace. This is very 
redundant with what we already do in 
the kernel, and it requires that the kernel 
implement hooks to let the userspace 
play with the 802.11 management state 
machine. 

In OpenBSD, support for 802.11i is 
fully implemented in the kernel (in our 
generic 802.11 layer) because this is 
the natural place to do it (this is where 
we keep all the information and states 
about APs and stations.) As a result, you 
can setup a WPA-PSK network (AP or 
client mode) without running any external 
daemon. 

You only need to know one command: 
ifconfig. 

However, in OpenBSD, we do not 
Support WPA-Enterprise yet, while other 
BSDs support it. But this is something 
l’m actively working on. 

| did like to implement the 802.1X 
PACP protocol in the kernel (both 
Supplicant and authenticator state 
machines) for both wired and wireless 
interfaces. Then | will implement some 
of the most used EAPs. 


Does running WPA in the kernel increase 
the security risk? 

Not at all. In this particular case, | 
would say quite the opposite because 
implementing the 4-way handshake 
and group key handshake in userspace 
require that you to let the userspace 
control the 802.11 kernel state machine 
which is very error-prone given that 
the 802.11 state machine is quite 
complicated and that not all drivers 
handle all the possible state transitions 
properly, especially those _ that 
implement the 802.11 state machine 
in firmware. 


Considering that your implementation 

runs in the kernel, do you see any 
performance advantage over the other 
implementations? 

No. Except for software encryption/ 
decryption (that other OSes do in the 
kernel too), WPA is not performance 
critical. 

It consists in the exchange of a small 
number of packets (4 for the 4-way 
handshake) between the supplicant (the 
client) and the authenticator (the access 
point). This does not require any special 
optimization. 


Is there any work on performance 
improvements or power saving for wifi 
drivers? 

'm currently adding hardware crypto 
support for more chipsets. This should 
helo a bit performance-wise. I’m also 
working on supporting stations in power 
save mode when operating as an access 
point. 


| remember that you used only software 
crypto for WEP, instead of the features 
included in some chips. Is this still true’? 
What about modern WPA-compliant 
chips? What advantages do you have 
using software crypto and opensource 
drivers? 
That is not exactly true. Some drivers 
were already doing WEP in hardware, 
however, because CCMP is more costly 
to do in software, it will become critical 
to support hardware crypto for more 
devices. | have already implemented 
hardware crypto for TKIP and CCMP in 
the Ralink RT2860 driver to make sure 
our net80211 design was clean enough 
to allow for both types of crypto. 

| am now working on other drivers, 
like wpi(4) and iwn(4). Some crypto 
engines are so badly designed though 
that supporting them will offer little to 
no performance benefit (because, for 
instance, even if the device supports 
scatter/gather the crypto’ engine 
does not, and you have to copy every 
outgoing packet). For these devices we 
will continue to use the software crypto 
code. 


OpenBSD developed a lot of drivers for 
wireless chips using reverse engineering. 
We saw some exploits for closed-source 
drivers provided by vendors. Were 

your drivers vulnerable? What type of 
measures did you adopt to improve 
wireless drivers security? 

Offering open-source drivers does not 
guarantee that no vulnerability will ever 
be found. However, you do not need to 
wait for the vendor (or the developer that 
wrote the driver under an NDA) to fix that 
vulnerability. 


How are your relationships with vendors? 
Do they offer you access to datasheets 
and specs without NDA agreements? Do 
they let you redistribute their firmwares? 
Only a few vendors provide datasheets 
without NDAs. Ralink is one of them. Zydas 
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also provided some documentation for 
their USB chipsets before they got bought 
by Atheros. 

There was some _ documentation 
available for the earliest Realtek chipsets 
too, but I'm not sure it’s still the case for 
their latest chipsets. Some vendors, like 
Intel or Marvell, provide open-source 
Linux drivers but no documentation. The 
worst players are Atheros and Broadcom, 
though things may change with Atheros 
in the future. 


From a security point of view what setup 
would you suggest for a wireless network? 
For a home network, WPA2-PSK (with 
256-bit AES) is a good compromise 
between security and ease of 
configuration. WPA2-Enterprise or IPSEC 
are equally good solutions for enterprise 
networks, 


What reasons do you see to deploy an 
OpenBSD based access point instead of 
using one of those cheap little boxes? 

Of course, you can always use a 
classical access point as a bridge if 
you want, but it is a bit of an overkill if 
you want to build something small. With 
the support of more embedded systems 
in OpenBSD (armish, socppc ports), it 
becomes even more important to have 
a good support for AP mode. This way 
you can for example setup a smaller 
NAS with Wi-Fi support, and all the good 
things that OpenBSD brings to you (pf, 
etc). 


Any thought on 802.11n? 
802.11n is not yet standardized at the 
time of this writing [May 2008]. It is not yet 
Supported in OpenBSD. 

Although we already have drivers 
for 802.11n devices, they only support 
802.11g mode for now. Some parts 
of the 802.11n specification are very 
complicated to implement (like block 
ACK sessions) while the performance 
gain in a real-life setup is not clear at 
all. 

| dont buy the argument about the 
improved speed in 802.11n at all. Anyway, 
’m planning to work on 802.11n at some 
point, but there are more important 
things to do first, like multi-bss support 
and improved power management. 


by Federico Biancuzzi ed@ bsd.it 
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pple’s emergence into the BSD 
Community has been a long 
and storied one. While they are 
quick to claim membership as 
they have derived much of Mac OS X 
from various points, most notably from 
FreeBSD 5, | often wonder how much 
have they returned. Granted, there are not 
any requirements for such participation in 
the community, which is a major facet of 
BSD licensing as a whole. Still, it would 
be nice to cite some examples of their 
contributions, and respecttully offer some 
suggestions. 

One of the most often overlooked 
aspects of Apple’s BSD lineage is the fact 
that, as far as Open Source is concerned, 
they single handedly launched FreeBSD 
into the stratosphere, numbers-wise. BSD 
can accordingly claim more desktop 
installations than any other freely available 
OS, including all of the Linuxes combined. 
However, | am still left wondering, “Is this 
enough?”. This is especially so since Mac 
OS X, like DragonFlyBSD, is a fork off 
of FreeBSD 5, which has been officially 
deprecated as of the release of FreeBSD 
Z |.am not saying that either of these 
products are flawed, just that | have to 
wonder what Apple’s game plan is. 

When Apple made the shift to FreeBSD 
5 as the base of their OS, many pondered 
the possibility that Apple would simply 
evolve their product along the line as 
FreeBSD itself evolved. Considering that 
they use their own version of the Mach 
kemel, there may be little benefit for them 
to incorporate FreeBSD’s major evolutions 
into their product. Yet it would seem that with 
the switch to an Intel-based architecture, it 
would be possible one day to run FreeBSD 
with an Apple Ul; and that truly would be 
interesting. Considering that they were a bit 
tardy with the Leopard release, it certainly 


might help reduce their overhead if they 
were to adopt this approach. 

Another interesting point would be 
to fully incorporate the MacPorts into the 
base OS right from the installation. This 
could be especially true on their server 
version of the product, where it should 
be a trivial matter to update the installed 
version of, say PHP to add a new feature 
not bundled in the original installation. Do 
not even get me started on sed, which 
is version 0.1 from 1987 While Mac OS 
X updates fix the items they have added 
to the OS and eventually tie up the loose 
ends in security issues, they typically do 
not address that lagging UNIX underbelly. 

Personally | would prefer the FreeBSD 
model where you install the OS bare- 
bones. Then install things like Apache 
from the ports rather than have them 
installed by default, as you would on 
other overly bloated operating systems. 
The obvious benefits of this approach 
are well-documented and are discussed 
to death on the various FreeBSD mailing 
lists and forums. 

Another Open Source project to feel 
the touch of Apple’s broad borrowing is 
the KDE project, as they have adopted 
the KHTML engine, which is the basis of 
the Konqueror and their Safari browser. 
Here again | can not find a direct example 
where Apple has done anything more 
than tell the world Hey we use KHTML as 
the basis for our browser thus drawing 
attention to the project that it would not 
have otherwise gamered on its own. What 
is truly interesting here is that a tangent 
of the KDE project has devoted itself to a 
natively deployable version on Mac OS X 
without the requirement of X11 at all. 

This, of course, leads me to Apple’s 
touting the ability of running thousands 
of ready made applications available 
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from the X community. With Leopard 
Apple made the shift from XFree86 to 
Xorg which was not a happy transition, to 
say the least. Here again Apple does not 
treat X as a part of the OS with regards 
to updates, and users had to wait for 
quite a while before the version supplied 
with Leopard was stable. Fact of the 
matter is numerous users installed the 
version found in Tiger in lieu of the latter 
version so that they could continue to 
run their favorite applications. This is yet 
another example why Apple should just 
incorporate the ports directly into the 
OS. Were they to provide the necessary 
libraries, components and patches, users 
could keep their systems up to date 
without issue. 

To be fair, | have read that Apple has 
been kind enough to donate hardware 
on occasion to Open Source projects. 
However, | must admit they do not make 
that list of recipients well Known. To sum 
up their involvement in the Open Source 
community, it appears to be little more 
than a marketing ploy, which is truly sad. 

lf you compare their involvement to 
that of IBM or NOVELL, who both have a 
clear track record, Apple would look more 
like a SUN rather than a true Open Source 
contributor Sun has eked ahead only 
Slightly with the recent purchase of MySOL 
and the decision to keep it open (for now). 
Finally, sad as it is to say, Microsoft has 
a more clearly defined stance on Open 
Source; they made no bones about using 
FreeBSD’s TCP/IP networking stack for 
years without any intentions of giving 
anything back to the community. 

All in all, | must ponder what sorts of 
leaps and bounds could be made if Apple 
worked more closely with the community. 

Community membership application 
status: Probationary Approval 
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A complete guide to PC-BSD 


e Enable prisons in PCBSD for maximum horsepower 


e Virtualisation in PC-BSD 


and much more... 
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«€ ~(—3S]) 7.0 Fibonacci Edition 


Perfect for Your Server and Your Desktop 


PC-BSD is the operating system of the future. A fully functional desktop operating system running FreeBSD 7 under the hood. Less 
vulnerable to viruses, spyware, and crashes that plague other systems thanks to the stability and security that only a BSD-based operating 
system can bring. Easy to use thanks to a graphical system installer and helpful utilities that make installing and using PC-BSD effortless. 


PC-BSD Fibonacci Edition takes many of the powerful features inherent in FreeBSD and makes them easier to use in PC-BSD. In addition 
to the powerful FreeBSD command line, most common tasks can be performed via the optimized and tuned KDE interface. For those 
who prefer a regular console OS, modify one file to turn off the GUI and disable the X server entirely. 


In addition to the FreeBSD Ports and Package Management Systems for software, PC-BSD can install applications via the Push Button 
Installer (PBI), a graphical utility to remove and install software in a simple to use, self-contained format. With PC-BSD's PBI system 
hundreds of great programs are readily available and can be downloaded from \¢to://www.oo ci.com, with updates made daily. Many 
PBI’s are also available on Disc 2 of PC-BSD. Once downloaded, these PBIs install with their own libraries, eliminating the problem of 
shared dependencies. Installing one program does not necessarily mean breaking another as it often does with Linux. ;) 


New server tools and enhancements featured in PC-BSD Fibonacci include speed improvements with the ULE Scheduler, experimental 
ZFS support during install, and UFS Journaling through GEOM. Furthermore, the online update manager can be customized to provide 
manual updates to individual servers or groups of servers automatically. 


Desktop users will appreciate the new searchable kmenu using KBFX, enhanced WiFi compatibility including 802.11n support, and 
Improved Wine stability. The new Xorg graphical configuration tool allows for easy dual-head monitor set up right out of the box. 
These features are sure to make any user experience more rewarding and productive. PC-BSD is designed to meet the needs of every 
user from beginner to expert. 


PC-BSD Official Home 
Website 
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